About Universal Directory and user profiles

Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API. (UD) delivers rich user profiles and fine-grained control over how attributes flow between applications. This makes it easier for organizations to create and maintain a single source of truth for its users, enabling new authentication and provisioning scenarios.

Warning: Universal Directory and the accompanying Profile Editor features are very powerful options. The alteration of profiles and mappings can have unintended effects in downstream apps — be cautious when making changes. Note that when an attribute in a user's profile triggers an update, Okta updates the user's entire profile in the application.

Using Universal Directory

The following explains Universal Directory features, configuration of features, and use-cases. Topics include

Profiles (Okta End User and App User)

Universal Directory provides user profiles, representations of user accounts. In particular, Universal Directory supports two types of profiles:

  • Okta End User profile — There is a default Okta user profile type which is used for all users, which contains the default base and custom attributes as described below. Okta also provides the ability to create custom user types. For details, see Custom user types.
  • App user profile.

The two profile types are used to store rich attributes in Okta and move rich attributes from Okta to 3rd-party apps.

Attribute mappings

Profile mappings allow administrators to precisely control the attributes exchanged during provisioning processes. The two chief use-cases that UD facilitates are

  • App to Okta
  • Okta to App

App to Okta mappings

User-added image

Okta to App

  • In this use-case, organizations want to propagate the data in Okta to other applications to provision accounts and update accounts with rich data. This is possible if the Okta user profile has rich attributes and the app supports provisioning.

  • The following diagram illustrates the second use-case. In the example, Okta sends four attributes to Google. The diagram shows the mappings of four Okta user profile attributes to four Google App user profile attributes.

User-added image

Expressions (Transformations)

The details above describe how to map attributes that flow from one source to another without modification. For example, a first name of "John" imported from Google gets stored as "John" in Okta. However, if you want to modify attributes before storing them in Okta or sending them to apps, you can do this with expressions within the mappings.

Expressions allow you to concatenate attributes, manipulate strings, convert data types, and more. Okta supports a subset of the Spring Expression Language (SpEL) functions. Find a comprehensive description of the supported functions under Okta Expression Language. All functions work in UD mappings.

Disclaimer: While some functions (namely string) work in other areas of the product (for example, SAML 2.0 Template attributes and custom username formats), not all do.

Expressions are useful for maintaining data integrity and formats across apps. For example, you might want to use an email prefix as a username, bulk replace an email suffix, or populate attributes based on a combination of existing ones (e.g., displayName = lastName, firstName).

Username Overrides

Okta allows you to handle the most demanding username requirements. Constructing custom Okta user names or application user names with Okta's data and expression language is easy.

Example use cases:

  1. Construct an Okta username by concatenating multiple imported attributes.
  2. Create differently formatted user names using conditionals. For example
    • If attribute1 = A, then username should end in acme.com. Otherwise, username should end in acme-temp.com.
    • Example: john.doe@acme.com, john.doe@acme-temp.com
    • This is useful for distinguishing between different types of users (such as employees vs. contractors).
  3. Construct app user names from attributes in various sources.
  4. Enforce a max length by truncating.

The username override feature overrides a previously selected Okta username format or app username format (different per app). When username override is configured, the previously selected username formats no longer apply.

Username override can also be used with Selective Attribute Push to continuously update app user names as user profile information changes. For example, if a user gets assigned to an app with a username of email, and that email subsequently changes, Okta can automatically update the app username to the new email. Prior to this enhancement, an Okta adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. had to manually change a user's app username by unassigning the user and reassigning him to the app. This enhancement applies to all apps and is not limited to only apps with provisioning capabilities.

Note: For a list of the characters supported in Okta email addresses, see here.

This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, contact Okta Support.

Overriding the app username

Okta is consolidating where app usernames are configured. Instead of being able to change the app username in the Profile Editor and the app's Sign On tab, you will be able to edit the Okta to App username mappings only on the App's Sign On tab.

For the Okta to App flow, you can no longer override username mappings in Profile Editor

Note: The behavior is not changing for the Active Directory, LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. and SAML Identify Provider apps.

The username mapping displayed in the app's Sign On tab will be the source of truth for the Okta To App flow.  Updating the username mapping on Create only or Create and Update will also be managed from the app's Sign On tab.

Related topics

Work with Okta user profiles and attributes

About custom user types in Universal Directory


Integrate your app with Okta

Configuring the Okta Template WS Federation Application