A profile masterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see Using the Okta People Page. is an application (a directory service like Active Directory or LDAP, or an HR-management appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. such as Workday) that can act as the "source of truth" for user identities. Once enabled from the app or directory's Provisioning tab, it appears in the list of profile masters on the Profile Masters page. Without the inclusion of any external profile “master”, all profiles are mastered by Okta.
Currently, if more than one profile master exists on the Profile Masters page, they can be prioritized so that end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. can be mastered by different systems, based on their assignments. At any given time, there can only be one profile master that masters a user's entire profile.
Profile masters are powerful tools that can potentially manage the entire life cycle (creation, updates, and deactivation) of an Okta user. Admins leveraging Workday, for example, can allow Okta to receive user creation, updates, and termination events from Workday.
Okta is periodically adding profile master capabilities to an expanding number of apps and directories. The following apps and directories are among those available for profile mastering:
- Active Directory
- G Suite
- Namely (build by ISVAn acronym for independent software vendors. Okta partners with various ISVs (usually producing enterprise applications) to integrate on-premises, in the cloud, or native-to-mobile devices with Okta.)
When an app or directory is designated as a profile master, it is listed on the Profile Masters page. This page is also used to sort the priority order of apps that support profile mastering. If more than one profile master exists, they must be prioritized so that end usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. can be mastered by different systems, based on their assignments. Without attribute-level mastering (ALM), there can only be one profile master that masters a user's entire profile.
Note: When a new profile master is added, it is immediately placed as the lowest priority. This insures that any existing priority master(s) are not altered.
- From the Dashboard, click to the Directory drop-down menu.
- Scroll down to Profile Masters.
All profile masters are listed, and their status is indicated under the Priority column.
- Click the arrows to change the profile status of the corresponding app or directory.
This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.
Attribute Level Mastering (ALM) delivers finer-grain control over how profiles are mastered by letting you specify different profile masters for individual attributes. This Early Access feature is a powerful element of Okta Provisioning. For details, see Setting up Attribute Level Mastering.
Using a profile master necessitates a clear distinction between new imported users verses updates to current Okta users. Okta uses matching rules to maintain a link between the profile master source and Okta to prevent conflicts. These rules can be set from the Provisioning/Settings tab of the mastered app or directory (see User Creation & Matching under Provisioning and Deprovisioning for details).
The flow of a user's identity throughout the different cycles of access (creation, update, and removal of access to resources) is known as a user’s life cycle. A profile master can determine the beginning of this cycle, and is enabled within the provisioning and import space. For details on how profile mastering factors into provisioning, and a general overview of all provisioning options, see Provisioning and Deprovisioning.