Using Selective Profile Push

This section specifically explores the Selective Profile Push feature for Universal Directory. For general information about UD, see About Universal Directory.

Profile mapping allows administrators to have precise control over the attributes exchanged during provisioning processes. An import from Active Directory to Okta is one of the more common examples of such an exchange, but it can be applied to any appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. that integrates with Okta. These exchanges center around how attributes are defined and mapped between two elements: the source of data, and the applications to which usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. are assigned.

Such mappings can be bi-directional. You can begin with a basic Okta user profile, retaining its default attributes, and simply map those attributes to the app user profile of a target application. This establishes a 1:1 relationship of data fields between these two entities. Or, you can do the reverse, choosing fields from the target app to map app-related fields to the Okta user. Essentially, you are setting the default attribute mappings for each Okta user or app user profile.

To begin creating this relationship, do the following under the Profile Mappings tab:

  1. From the provided list, find the app or directory you wish to map.
  2. Click the Edit Mappings button for the chosen app. The <App> User Profile Mappings page appears.
  3. Note which tab is viewable for the app—<App> to Okta or Okta to <App>.

Selective Profile Push

Along with mapping, the selective profile push feature allows admins to select which attributes are pushed from Okta to an app when a provisioning event occurs. While mapping may be bi-directional, selective profile push is uni-directional, meaning that this data can only be pushed from Okta to a target app.

To successfully use this feature, the following conditions must be true for local (SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully. or SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP.), Provisioning-enabled, and non-provisioning apps:

  • Apps with Provisioning capability must have Update User Attributes enabled under the Provisioning tab for the app. This provisioning feature includes a Do not update Username attribute on user profile check box, which gives you the option to exclude user name updates but allow the update of other attributes.
  • For both app types, pushing user names requires administrator control of the username, never the user. Find this setting under Application > Sign on tab > Sign On Methods.

Once the desired mapping is set up, admins can then decide which attributes are pushed when a profile push occurs. Such events can be set using the arrow drop-down menus.

The options available in the list will vary depending on the scenario of your app configurations. The app type, profile masterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see Using the Okta People Page. status, and various states of the app all play a role in which options are displayed.

Mapping Option Displays

Drop-down menu options include the following:

  • Apply mapping on user create and update: This pushes data when a user is created and also when there is a change in their profile.
  • Apply mapping on user create only: This pushes data only when a new user is created, and does not automatically push data when a user profile changes.
  • Do Not map: This removes an existing mapping. See Removing an Existing Mapping below.

Removing an Existing Mapping

There are two ways to remove a mapping. Simply use the delete button to backspace the entry from the field, or use the drop-down to choose the Do not map option. When successfully deleted, the label of the attribute switches back to Add mapping.

Top