You can import users into your orgThe Okta container that represents a real-world organization. from any appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. or by using a Import users from a CSV file. You can schedule an import to add users when an application is added or schedule it for later. You also have control over how imported users are confirmed and, through mapping rules, how application fields are mapped to an Okta username.
To import users from an app, do the following:
- Navigate to Applications in the AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, and select the app from which you want to import users.
- Click on Import Now.
- Your users are imported and a summary of the number of users and groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. imported displays. Click OK.
Importing users when provisioning an app
ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. must be enabled to use the following features. To enable provisioning, do the following:
- From the Administrator Dashboard select Applications and click the application you want to configure.
- Click the Provisioning tab. If no Provisioning tab appears, the app is not provisioning enabled.
- From the left-side panel under Settings, chose To Okta. This screen contains settings for all information that flows from the app to Okta.
Click the adjacent Edit buttons to make changes in the following sections.
- User Creation & Matching
- Profile & Lifestyle Mastering
- Inline Hooks
- Okta Attribute Mappings
Use this section to schedule imports and dictate a username format that Okta will use for imported users. You can also define a percentage of acceptable app assignments before the Import safeguard feature is automatically triggered. If the Okta username is overridden due to mapping from a provisioning-enabled app, the custom mapping appears here.
Matching rules are used in the import of users from all apps and directories that allow importing. Establishing matching criteria allows you to specify how an imported user should be defined as a new user or mapped to an existing Okta user.
Imported user is an exact match to Okta user if: Exact matching occurs when the Okta username format, email, attribute (base or custom), or attribute combination matches that of an Okta user.
Allow partial matches: Partial matching occurs when the first and last name of an imported user match those of an existing Okta user, but the user’s username and/or email address do not.
Confirm matched users: Select to automate the confirmation or activation of existing users. Unchecked, matches are confirmed manually.
Confirm new users: Select to automate the confirmation or activation of a newly imported user. If this option is selected, you can uncheck it during import confirmation. Note that this feature does not apply for users who already exist in Okta.
Use this section to allow the current app to profile masterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering. Okta users. Once enabled, the app appears in the list of profile masters on the Profile Masters page.
Allow <app> to master Okta users: Determine what happens when a user is deactivated or reactivated in an app.
Remember that only the highest priority profile master for that Okta user can deactivate or suspend an Okta user. To verify the highest priority profile master, review the Profile Masters page.
When a user is deactivated in the app: Choose to deactivate, suspend, or do nothing. Do nothing prevents activity in the app from controlling the user cycle, but still allows profile master control of attributes and mappings.
When a user is reactivated in the app: Choose whether reactivation in the app applies to suspended or deactivated Okta users. When a user is reactivated in the app, the user profile must be an exact match to the Okta profile for the reactivation to also occur in Okta. Otherwise, after importing the reactivated users, they appear in Pending Activation state.
Use this section to add custom logic to the process of importing new users into Okta from an app. You can resolve conflicts in profile attributes and control whether imported users are treated as matches for existing users. To enable an import inline hook, see the Inline Hooks page.
Use this portion of the page to edit attributes and mappings in the Profile Editor.
Clearing unconfirmed users
During standard imports, users are sometimes mistakenly imported from a 3rd-party app such as Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD), Workday, or through a manual CSV import. This can lead to conflicted users within the import queue. Previously, there was no way to remove these unconfirmed users.
The Clear Unconfirmed Users button allows admins to clear all unconfirmed users within an import queue. This feature is supported for profile masters such as AD, LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services., Workday, SuccessFactors, BambooHR, Namely, and Ultipro, as well as provisioning apps that support imports, such as Zendesk. This operation only works with a single application, and will not affect other apps that have users in the staging phase.
- From the Admin Dashboard, hover over the Application menu and choose Applications.
- On the Applications page, select a provisioning-enabled app.
- Click on the Import tab.
- If there are unconfirmed users within the import queue, clear them by clicking the Clear Unconfirmed Users button, as shown below.
- A confirmation screen appears with the current tally of unconfirmed users. Click the Clear Import Results button to confirm.
It is not possible to select and remove specific users at this time. The only option is to clear all users. If an admin mistakenly clears all users from the queue, they can rerun a full import to restore the queue back to its prior state. To restore the import queue, an incremental import will not suffice—a full import is required.
Also note that, if an existing (scheduled or manual) import is actively running, admins cannot clear users. The Clear Unconfirmed Users button is grayed out until that previous import is complete. If a scheduled or manual import is started during a clearing process, it is queued up to begin as soon as the previous operation completes.Top