You can import people into your orgThe Okta container that represents a real-world organization. by provisioning an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. or by using a CSV file.
Not all applications support provisioning, but for those that do, you can schedule an import to add usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. when an application is added or schedule it for later. You also have control over how imported users are confirmed and, through mapping rules, how application fields are mapped to an Okta username.
Provisioning must be enabled to use the following features. To enable provisioning, do the following:
- From the Administrator Dashboard select Applications and click the application you want to configure.
- Click the Provisioning tab. If no Provisioning tab appears, the app is not provisioning enabled.
- From the left-side panel under Settings, chose To Okta. This screen contains settings for all information that flows from the app to Okta.
- Click the adjacent Edit buttons to make changes in the following sections.
Use this section to schedule imports and dictate a username format that Okta will use for imported users. You can also define a percentage of acceptable app assignments before the Import Safeguard feature is automatically triggered.
User Creation & Matching
Matching rules are used in the import of users from all apps and directories that allow importing. Establishing matching criteria allows you to specify how an imported user should be defined as a new user or mapped to an existing Okta user.
Imported user is an exact match to Okta user if: Select the match criteria that establishes whether an imported user exactly matches an existing Okta user. Choose any combination from the list of options to establish your criteria. For the new imported user to be considered an exact match, each option that you select must be true. Note that if you choose the third option, the first and second choices are disabled.
Allow partial matches: Partial matching occurs when the first and last name of an imported user matches that of an existing Okta user, but the user’s username or/and email address do not.
Confirm matched users: Select to automate the confirmation or activation of existing users. Unchecked, matches are confirmed manually.
Confirm new users: Select to automate the confirmation or activation of a newly imported user. If this option is selected, you can uncheck it during import confirmation. Note that this feature does not apply for users who already exist in Okta.
For information on deprovisioning, see Provisioning and Deprovisioning Overview.
Okta Attribute Mappings
Use this portion of the page to edit attributes and mappings. For more details on mappings, see the Profile Editor.
For apps that don't support provisioning, you can import people directly from a CSV file.
- From the Administrator Dashboard, select Applications and click the application you want to configure.
Click the Import tab.
- Click the Import from CSV button.
Click on the CSV template link to download the template and enter your user's information.
Note: You can add up to 5,000 users to your CSV file.
Browse to your saved file and click on the Upload CSV button.
Import begins automatically and a summary of your upload results appears.
- Click the Import users button.
Confirm your imports and click on the people tab to begin assigning them.
For more details about importing people from a .csv file, see Importing Users From a CSV File.
If an unusual number of app unassignments occurs during an import, Okta triggers an alert to warn against the unintended deprovisioning of a large number of apps from users within an org. The Import Safeguard feature stops the import and suspends subsequent imports.
Note: For the Import Safeguard feature to be triggered, an org must contain a minimum 100 app assignments.
When triggered, the following message appears on the Okta Dashboard.
If the app unassignment was expected
If these app unassignements were intentional, you can simply resume the import by clicking the Resume All Imports button. You can also view the event in the system log and, if you feel the current setting caused the unnecessary alert, adjust the threshold of allowed app unassignments. For details, see Increase the App Threshold below.
If the app unassignment was not expected
If the number of unassignments was not intentional, clicking the Cancel the Affected Import and Resume Other Imports button allows you to arrest imports from the offending app and resume other imports. Okta recommends viewing the event in the system logs and, if the issue remains unexplained, call Okta customer support.
If you click the set app assignment removal limit link, the following modal appears. It allows you to define a percentage of acceptable app unassignments before Import Safeguard is automatically triggered.
Note: This rate can also be changed from the Provisioning tab during the app provisioning process.
During standard imports, users are sometimes mistakenly imported from a 3rd-party app such as Active Directory (AD), Workday, or through a manual CSV import. This can lead to conflicted users within the import queue. Previously, there was no way to remove these unconfirmed users.
The Clear Unconfirmed Users button allows admins to clear all unconfirmed users within an import queue. This feature is supported for profile masters such as AD, LDAP, Workday, SuccessFactors, BambooHR, Namely, and Ultipro, as well as provisioning apps that support imports, such as Zendesk. This operation only works with a single application, and will not affect other apps that have users in the staging phase.
- From the AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Dashboard, hover over the Application menu and choose Applications.
- On the Applications page, select a provisioning-enabled app.
- Click on the Import tab.
- If there are unconfirmed users within the import queue, clear them by clicking the Clear Unconfirmed Users button, as shown below.
- A confirmation screen appears with the current tally of unconfirmed users. Click the Clear Import Results button to confirm.
It is not possible to select and remove specific users at this time. The only option is to clear all users. If an admin mistakenly clears all users from the queue, they can rerun a full import to restore the queue back to its prior state. To restore the import queue, an incremental import will not suffice—a full import is required.
Also note that, if an existing (scheduled or manual) import is actively running, admins cannot clear users. The Clear Unconfirmed Users button is grayed out until that previous import is complete. If a scheduled or manual import is started during a clearing process, it is queued up to begin as soon as the previous operation completes.
This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.
When you import users, you can set up Okta rules to match any attribute that is currently mapped from an AppUser profile to an OktaUser profile. This helps you sync identities across systems and determine whether an imported user is new or if the user profile already exists in Okta.
- When a user is imported from Workday, you can match that user to existing user profiles based on their user name, email address, or first and last name.
- To set up a regularly scheduled import from Workday, you can match on the Employee’s EmployeeID
- To consolidate multiple Active Directory (AD) domains, you can link the AD Domains to a single Okta user with an attribute that’s populated across all those domains (e.g., they match on the SAM Account Name
To set up the import configuration to match users, do the following:
- Go to Applications or Directory Integrations and select the app into which you want to import users, such as Workday, Active Directory, or CSV Directory.
- For most applications, select Provisioning > To Okta. For AD or LDAP, select Settings > Match Settings.
- Update the import configuration to match on any attribute that is currently mapped from your application into Okta.
- Click Save.
- Go to the Import tab and select Import Now.
You can now see the imported users matched on the attribute that you selected from the drop down. If there is no match, a new user is created. If there is a match, then the user is linked to an existing user profile in Okta.
Note: Because Okta treats these as exact matches, you can configure auto-confirmation and auto-activation if a match is found.
To check if an attribute is missing from the list of attributes available for matching, go to Directory > Profile Editor and make sure that the attribute is properly mapped.