Manage user profiles

Universal Directory (UD) is a platform that delivers rich user profiles and fine-grained control over how attributes flow between applications. This enhancement makes it easier for organizations to create and maintain a single source of truth for its usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control., enabling new authentication and provisioning scenarios.

With UD and Profile Editor, you can:
  • Store rich profiles of user attributes in Okta.
  • Customize these profiles with custom attributes.
  • Bi-directionally map and move attributes from Okta and applications.
  • Transform attributes prior to storing or moving with a powerful expression language.

These capabilities enable you to do the following:

Warning: Universal Directory and the accompanying Profile Editor features are very powerful options. The alteration of profiles and mappings can have unintended effects in downstream apps — please be cautious when making such changes. Note that when an attribute in a user's profile triggers an update, Okta updates the user's entire profile in the application.

Using Universal Directory

The following explains UD features, configuration of features, and use-cases. Topics include

Profiles (Okta End User and App User)

UD introduces profiles, representations of user accounts. In particular, UD supports two types of profiles: the Okta End User profile, and the App user profile. The two profile types are used to store rich attributes in Okta and move rich attributes from Okta to 3rd-party apps.

Use the Profile Editor to view or modify these profiles: Directory > Profile Editor.

App User Profile

An app user profile represents a user in a 3rd-party application, directory, or identity provider (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.). The app user profile lists the 3rd-party's attributes that Okta can read and write to (read-only for IdP). This profile is used to control the attributes that Okta pushes to an app or the attributes imported from an app into Okta.

Similar to Okta user profiles, app profiles have both base attributes and custom attributes. Custom attributes for app user profiles differ from those for Okta user profiles. Whereas Okta user profiles can be extended with any custom attribute, app user profiles can only be extended with attributes from a predefined list that Okta dynamically generates. Okta generates the list of attributes by querying the 3rd-party application or directory for supported attributes.

Note: Active Directory users, look here for details on Using Custom Attributes with Active Directory.

Rich SAML Assertions and WS-Fed Claims

UD attributes can be sent in SAML assertions and WS-Fed claims. Apps can consume rich SAML assertions and WS-Fed claims to do the following:

  • Create rich user accounts in the app
  • Update accounts with rich data
  • Make fine-grained authorization decisions

Configure Rich SAML Assertions and WS-Fed Claims

Currently, only the App Integration Wizard, Template WS-Fed and Template SAML 2.0 can send UD data.

Note: The Template SAML 2.0 is deprecated.

To configure this:

  1. Add the App Integration Wizard, Template WS-Fed or Template SAML 2.0.
  2. Locate the attribute statements field.
    • Labeled Attribute Statements in the App Integration Wizard
    • Labeled Custom Attribute Statements in the Template WS-Fed App
    • Labeled Attribute Statements in the Template SAML 2.0 App
  3. Enter UD attributes in the attribute statements field.
    For information about the attribute statements field, see Mapping Active Directory, LDAP, and Workday Values in a Template SAML or WS Fed Applications and Using the App Integration Wizard.