Manage users

Use the People page to add and manage the end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. in your organization.

Navigate to Directory > People to see a list of 200 end users, in increments of 25. Click Show More to see the next 25 users, or filter the entries with the Search field.

Tip: Don't miss the important options available in More Actions lists.

Add users

Adding users to your organization lets them to have their own My Applications page.

  1. On the OktaAdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > People.
  2. Click Add Person.
  3. Select a user type in the User type list or accept the default.

    To learn more about user types, see About custom user types in Universal Directory.

  4. Complete these fields:
  • First name — Enter the user's first name.
  • Last name — Enter the user's last name.
  • Username — Enter the user's user name in email format.
  • Primary email — Enter the user's primary email if it's different from their username.
  • Secondary email — Optional. Enter a secondary email to allow the user to access information when their primary email is unavailable.
  • GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. — Optional. Enter the groups to which the user belongs.
  • Password — Select Set by user to allow the user to set their password, or select Set by admin and enter a password.
  • Send user activation now - Optional. This check box is available when Set by user is selected as the password option. Select this check box to send a user activation email to the user.
  • User must change password on first login — Optional. This check box is selected by default when you select Set by admin as the password option. Clear this check box if you do not want the user to change their password when they first log in.
  1. Click Save.

Add and update users with Just In Time Provisioning

Just In Time (JIT) provisioning enables automatic user account creation in Okta the first time a user authenticates with Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) Delegated AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect., Desktop SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones., or inbound SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated..

JIT account creation and activation only works for end users who are not already Okta end users. (JIT updates the accounts of existing end users during full imports.) This means that end users who are confirmed on the import results page, regardless of whether or not they were subsequently activated, are not eligible for JIT activation. When JIT is enabled, users do not receive activation emails.

If delegated authentication is enabled, you do not need to import users from AD first for JIT provisioning to create Okta accounts.

If you do not have delegated authentication enabled, you must import the AD accounts first, and they must appear on the imported users list for JIT provisioning to create Okta accounts.

  1. On the Okta Admin Console, click Directory > Directory Integrations and select an AD instance.
  2. Click Settings.
  3. Scroll to the Import and ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. section.
  4. Select the Create and update users on login check box next to JIT Provisioning.
  5. Scroll to the bottom of the page and click Save Settings.