You are here: Okta-docs > Directory > Profile Editor

Profile Editor

Universal Directory (UD) is a platform that delivers rich user profiles and fine-grained control over how attributes flow between applications. This enhancement makes it easier for organizations to create and maintain a single source of truth for its usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control., enabling new authentication and provisioning scenarios.

When UD is enabled for your Okta orgAn abbreviation of organization, but can also be thought of as a company. A company that uses Okta as their SSO portal is generally referred to as an org. As an administrator, you decide how Okta should be displayed and/or integrated with your org., you'll have access to the new Profile Editor page in the AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button (shown below) on the upper right side of the My Applications page. Console. This resource provides several new capabilities:
  • Store rich profiles of user attributes in Okta.
  • Customize these profiles with custom attributes.
  • Bi-directionally map and move attributes from Okta to applications.
  • Transform attributes prior to storing/moving with a powerful

These new capabilities enable you to do the following:

Warning: Universal Directory and the accompanying Profile Editor features are very powerful options. The alteration of profiles and mappings can have unintended effects in downstream apps — please be cautious when making such changes. Note that when an attribute in a user's profile triggers an update, Okta updates the user's entire profile in the application.

Using Universal Directory

The following explains UD features, configuration of features, and use-cases. Topics include

Profiles (Okta User and App User)

UD introduces profiles, representations of user accounts. In particular, UD supports two types of profiles: the Okta User profile, and the App user profile. The two profile types are used to store rich attributes in Okta and move rich attributes from Okta to 3rd-party apps.

Use the Profile Editor to view or modify these profiles: Directory > Profile Editor.

The Okta User Profile

The Okta user profile represents a user in Okta (an Okta account) and is comprised of two parts: base attributes and custom attributes. To view the Okta user profile:

  1. Go to Directory > Profile Editor.
  2. Click the Okta filter.
  3. For the Okta User, click Profile in the Actions column.

Okta has defined 31 default base attributes for all users in an org. These base attributes are fixed and cannot be modified or removed. If you wish to add more attributes to the user profile, you can add them as custom attributes.

Add or remove custom attributes to a directory schema

  1. Go to Directory > Profile Editor.
  2. In the Filters column, click Directories.
  3. For the directory that you want to modify, click Profile in the Actions column.
  4. Under Attributes, click Add Attribute.

    The type of window that opens depends on whether you are using the Generally Available or Early Access version of LDAP:

Add Custom Attributes to a user profile

You can extend an Okta User profile by adding an attribute to the custom portion of the profile. Base attributes cannot be altered.

  1. Select User under the Okta profile type.
  2. Click Add Attribute.
  3. Enter information in the following fields:
    • Display name: A human readable label that will appear in the UI
    • Variable name: Name of attribute that can be referenced in mappings
    • Description: Description of the attribute
    • Data type: There are 7 admissible data types:
      • string: a chain of zero or more unicode characters (letters, digits, and/or punctuation marks)
      • number: floating-point decimal in Java's 64-bit Double format. For details see the Platform Specification.
      • boolean: stores true, false, or null data values
      • integer: whole numbers in 64-bit Java's Long format
      • array of string: sequential collection of strings
      • array of number: sequential collection of numbers
      • array of integer: sequential collection of integers
  4. When completed, click Add Attribute or, to add more than one, click Save and Add Another.
  5. After adding the attribute, configure the following:
    • Attribute required: Select this checkbox if the attribute must be populated.
    • User permission: Choose options to hide the attribute or make it read-only or read-write.
  6. Click Add Attribute.

App User Profile

An app user profile represents a user in a 3rd-party application, directory, or identity provider (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.). The app user profile lists the 3rd-party's attributes that Okta can read and write to (read-only for IdP). This profile is used to control the attributes that Okta pushes to an app or the attributes imported from an app into Okta.

Similar to Okta user profiles, app profiles have both base attributes and custom attributes. Custom attributes for app user profiles differ from those for Okta user profiles. Whereas Okta user profiles can be extended with any custom attribute, app user profiles can only be extended with attributes from a predefined list that Okta dynamically generates. Okta generates the list of attributes by querying the 3rd-party application or directory for supported attributes.

Note: Active Directory users, look here for details on Using Custom Attributes with Active Directory.

Mappings

Profile mappings allow administrators to precisely control the attributes exchanged during provisioning processes. The two chief use-cases that UD facilitates are

  • App to Okta
  • Okta to app

In the first use-case (App to Okta), organizations typically use a source-of-truth app such as a directory or human resources system. Some organizations might have several sources of truth. Mappings define how attributes from these various sources are imported into the Okta user profile.

The diagram below illustrates the first use case. In the example, Active Directory (AD) and Workday supply the Okta user profile with attributes (AD provides FirstName and LastName; Workday provides Boss). The diagram illustrates the mapping of givenName and sn to FirstName and LastName (from AD to Okta), and it shows the mapping from managerUserName to Boss (from Workday to Okta).

User-added image

In the second use-case (Okta to App), organizations wish to propagate the data in Okta to other applications to provision accounts and update accounts with rich data. This is possible if the Okta user profile has rich attributes and the app in Okta is UD-upgraded.

The following diagram illustrates the second use-case. In the example, Okta sends four attributes to Google. The diagram shows the mappings of four Okta user profile attributes to four Google App user profile attributes.

User-added image

Using the Profile Mapping Tab

To create a mapping between an Okta user profile and an app user profile:

  1. Identify the app, directory, or IDP to map.
  2. Select either the Profile or the Mappings button for the App user profile.

    User-added image

  3. Select the desired tab.

    User-added image

    a. App to Okta (highlighted in red) maps the flow of attributes from the app to Okta.

    • An app user profile contains the source attributes; Okta is the target.

    b. Okta to App (highlighted in blue) maps the flow of attributes from Okta to the app.

    • Okta contains the source attributes; an app user profile is the target.
  4. Map attributes (highlighted in orange) in the right tab.

    a. Scroll through the attribute mappings.

    b. Ensure that required attributes in the target are mapped.

    • The Okta or app user profile indicates which are required

    c. Define mappings using the drop-down menu or expressions:

    • Use the drop-down menu to directly populate target attributes with source attributes.
    • Use expressions to populate target attributes with concatenated or transformed values.
    • See Using Expressions (Transformations) below for details.
  5. Configure the profile push frequency (Optional). Mapping can be
    • applied on user create and update.
    • applied on user create only.
    • disabled.

    . For details on this feature, see Using Selective Profile Push.

  6. Once you have completed your changes, a best practice is to check your mappings using the Preview button. For details on how to use this feature, see Universal Directory - Preview Mapping.
  7. Click Save Mappings to save your choices.

To remove a mapping, simply delete the entry from the field. When successfully deleted, the attribute's label changes to Add mapping.

Using Expressions (Transformations)

The details above describe how to map attributes that flow from one source to another without modification. For example, a first name of "John" imported from Google gets stored as "John" in Okta. However, if you wish to modify attributes before storing them in Okta or sending them to apps, you can do this with expressions within the mappings.

Expressions allow you to concatenate attributes, manipulate strings, convert data types, and more. Okta supports a subset of the Spring Expression Language (SpEL) functions. Find a comprehensive description of the supported functions under Okta Expression Language. All functions work in UD mappings.

Disclaimer: While some functions (namely string) work in other areas of the product (e.g., SAML 2.0 Template attributes and custom username formats), not all do.

Expressions are useful for maintaining data integrity and formats across apps. For example, you might wish to use an email prefix as an username, bulk replace an email suffix, or populate attributes based on a combination of existing ones (e.g., displayName = lastName, firstName).

Configure Expressions

To configure an expression, do the following:

  1. Navigate to the Mappings page of the app (instructions are in the Configure Mappings section).
  2. Enter the desired expression in the Attribute Mapping field.
  3. Preface the variable name(s) with the corresponding object/profile.

    a. source refers to the object on the left hand side:

    • Can be used in either Okta to App or App to Okta mappings.
    • Example: source.firstName

    b. user refers to the Okta user profile:

    • Can only be used in the Okta to App mapping.
    • Example: user.firstName

    c. appUser (implicit reference) refers to the in-context app (not Okta user profile):

    • Can only be used in the App to Okta mapping.
    • Example: appUser.firstName

    d. appUserName (explicit reference) refers to a specific app by name:

    • Can be used in either Okta to App or App to Okta mappings.
    • Is used to reference an app outside the mappings.
    • Example: google.nameGivenName
    • If multiple instances of an app are configured, each app user profile has a different variable name appended with an underscore and an incremented number.
    • Example: google, google_1, google_2, etc.
  4. To find instance and variable names for the above step, use the profile editor

    a. Navigate to People > Profile Editor > Profiles.

    b. View an Okta user profile and note the instance and variable name.

    c. View an app user profile and note the instance and variable name.

    Example screenshots of expressions:
    User-added image
    User-added image

Username Overrides

UD allows you to handle the most demanding username requirements. Constructing custom Okta usernames or application usernames with UD's data and expression language is easy.

Example use cases:

  1. Construct an Okta username by concatenating multiple imported attributes.
  2. Create differently formatted usernames using conditionals. For example
    • If attribute1 = A, then username should end in acme.com. Otherwise, username should end in acme-temp.com.
    • Example: john.doe@acme.com, john.doe@acme-temp.com
    • This is useful for distinguishing between different types of users (such as employees vs. contractors).
  3. Construct app usernames from attributes in various sources.
  4. Enforce a max length by truncating.

The username override feature overrides a previously selected Okta username format or app username format (different per app). When username override is configured, the previously selected username formats no longer apply.

Username override can also be used with Selective Attribute Push to continuously update app usernames as user profile information changes. For example, if a user gets assigned to an app with a username of email, and that email subsequently changes, Okta can automatically update the app username to the new email. Prior to this enhancement, an Okta admin had to manually change a user's app username by unassigning the user and reassigning him to the app. This enhancement applies to all apps and is not limited to only apps with provisioning capabilities.

Note: For a list of the characters supported in Okta email addresses, see here.

Configure Username Override

To override an Okta username, do the following:

  1. Navigate to the app's mapping.
    • The app from which Okta accounts are imported – typically AD or Workday.
  2. Choose the mapping direction App to Okta.
    • You're creating an Okta username from app attributes.
  3. Click the Override with mapping button.
  4. Observe that a mapping field appears.
  5. Select an attribute or enter an expression to create the Okta username.
  6. Click Save Mappings and Apply updates now.

To override an app username, do the following:

  1. Navigate to the app's mapping.
    • App whose username you wish to override.
  2. Choose the mapping direction Okta to App.
    • You're creating an app username from UD attributes.
  3. Click the Override with mapping button.
  4. Observe that a mapping field appears.
  5. Select an attribute or enter an expression to create the app username.
  6. Click Save Mappings and Apply updates now.

To keep the app username automatically updated, do the following:

  1. Navigate to the username override configuration.
  2. Select the green arrow.

Rich SAML Assertions and WS-Fed Claims

UD attributes can be sent in SAML assertions and WS-Fed claims. Apps can consume rich SAML assertions and WS-Fed claims to do the following:

  • Create rich user accounts in the app
  • Update accounts with rich data
  • Make fine-grained authorization decisions

Configure Rich SAML Assertions and WS-Fed Claims

Currently, only the Template SAML 2.0, Template WS-Fed, and SAML Wizard Apps can send UD data. To configure this:

  1. Add the Template SAML 2.0 App, Template WS-Fed App, or SAML Wizard App.
  2. Locate the attribute statements field.
    • Labeled Attribute Statements in the Template SAML 2.0 App
    • Labeled Custom Attribute Statements in the Template WS-Fed App
    • Labeled Attribute Statements in the SAML Wizard Apps
  3. Enter UD attributes in the attribute statements field.