Base Active Directory attributes

There is a distinction between base and custom attributes. For Active Directory (AD), only 10 attributes are considered base. This means that for Okta, a minimum AD profile contains only 10 attributes. Every attribute outside of the 10-field base profile is considered custom. Some of these custom attributes were previously part of the static profile, but now with UD, you can remove them.

Display Name Variable Name Data Type
distinguishedName dn string
mail email string
objectGUID externalID string
givenName firstName string
sn lastName string
managerUpn managerUpn string
objectSid objectSid string
primaryGroupID primaryGroupID string
sAMAccountName samAccountName string
userPrincipalName userName string

If you have manager value coming from Workday or any other application into Okta and that value can be represented as managerUPN in AD, use the managerUpn mapping. When doing so, the manager must be in same domain as the user.

If you have manager value coming from Workday or any other app into Okta and that value can be represented as mangerDN in AD, use the managerDn mapping. In this case the manager can be in different domain than the user.

Mapping the managerUPN or the managerDN incorrectly could result in the manager value failing to update the user object in AD.