Use the People page to add and manage the end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. in your organization.
Navigate to Directory > People to see a list of 200 end users, in increments of 25. Click Show More to see the next 25 users, or filter the entries with the Search field.
Tip: Don't miss the important options available in More Actions lists.
Adding users to your organization enables them to have their own My Applications page. To add end users to your orgThe Okta container that represents a real-world organization.:
From the People page, click Add Person.
Enter the First name and Last name.
Enter the Username. This must be a unique email address (typically the user's primary email address). Entering a pre-existing email in this field will cause an error.
Notes: For a list of the characters supported in Okta email addresses, see Reference Directories.
Enter a Primary email address. This can be any valid email address that the user can access (typically the user's username).
Optional. Enter a Secondary email. This email can be used as a back-up if the user can't access their primary email.
- Optional. Assign the user to groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. by typing the name of the group in the Groups field. A list of matching groups appears. Find the group you want to add and click Add. Repeat to add additional groups.
- In the Password drop-down, select Set by user or Set by adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page.. If you choose Set by admin, enter the password and indicate whether the user must change password on first login. Remember that you must manually provide the password to end users.
Click Add Person, or add another by clicking Save and Add Another.
- If you click the Send user activation email now check box, your end user immediately receives their Welcome to Okta! activation email. Otherwise, these users are at Pending Activation status, and are not notified via email of their Okta account.
Add and update users with Just In Time Provisioning
Just In Time (JIT) provisioning enables automatic user account creation in Okta the first time a user authenticates with AD Delegated AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect., Desktop SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones., or inbound SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated..
JIT account creation and activation only works for end users who are not already Okta end users. (JIT updates the accounts of existing end users during full imports.) This means that end users who are confirmed on the import results page, regardless of whether or not they were subsequently activated, are not eligible for JIT activation. When JIT is enabled, users do not receive activation emails.
When using JIT provisioning with AD users, the procedure depends on whether delegated authentication is enabled.
- If you have delegated authentication enabled, you do not need to import users from AD first for JIT provisioning to create Okta accounts.
- If you do not have delegated authentication enabled, you must import the AD accounts first, and they must appear on the imported users list for JIT provisioning to create Okta accounts.
- On the Okta Admin Console, click Directory > Directory Integrations and select an AD instance.
- Click Settings.
- Scroll to the Import and ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. section.
- Select the Create and update users on login check box next to JIT Provisioning.