A profile masterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering. is an application (a directory service like Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. or LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services., or an HR-management appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. such as Workday) that can act as the "source of truth" for user identities. Once enabled from the app or directory's ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. tab, it appears in the list of profile masters on the Profile Masters page. Without the inclusion of any external profile “master”, all profiles are mastered by Okta.
Currently, if more than one profile master exists on the Profile Masters page, they can be prioritized so that end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. can be mastered by different systems, based on their assignments. At any given time, there can only be one profile master that masters a user's entire profile.
Profile masters are powerful tools that can potentially manage the entire life cycle (creation, updates, and deactivation) of an Okta user. Admins leveraging Workday, for example, can allow Okta to receive user creation, updates, and termination events from Workday.
Okta is periodically adding profile master capabilities to an expanding number of apps and directories. The following apps and directories are among those available for profile mastering:
- Active Directory
- G Suite
- Namely (build by ISVAn acronym for independent software vendors. Okta partners with various ISVs (usually producing enterprise applications) to integrate on-premises, in the cloud, or native-to-mobile devices with Okta.)
The Profile Masters page prioritizes all of the apps and directories you have designated as profile masters. The priority enables Attribute-level mastering of a user profile; without it, all of a user's attributes are mastered by a single profile master. When you add a new profile master, it is placed as the lowest priority to ensure that the existing priority is not altered.
- In AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, go to Directory > Profile Masters. All profile masters are listed, and their status is indicated under the Priority column.
Click the arrows to change the profile status of the corresponding app or directory.
Enabling Profile Master and Update User Attributes for the same application allows you to push Okta to App profile mappings to your highest priority profile master. This is beneficial when you want to sync attributes from downstream applications back to the profile master, like an email address and phone number from an app back to the master Workday profile. However, you may lose data if an app that you designate as profile master can also receive profile updates from Okta.
Caution: Enabling both Profile Master and Update User Attributes for the same app may result in:
- Unwanted profile pushes - Okta updates can overwrite the values of unmapped attributes in an app, even if that app is the highest priority profile master. For example, if the cn attribute is not mapped from Active Directory to Okta, and you've configured Active Directory for Profile Master and Update User Attributes, Okta will apply a default mapping to cn.
- Overwritten IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.-mastered attributes - Okta to App updates can overwrite attributes that are mastered by another identity source. There's no partial push option.
- Race conditions - Okta can overwrite an updated attribute in an identity source before other updates are pushed back to Okta. For example, consider a scenario in which a user's first name and last name are imported into Okta from a directory, but the user's email address is imported into Okta from an app. If the user's last name changes in the directory before the applicable email address update is made in the app, Okta could push the new name and the old email address.
This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, contact Okta Support.
Attribute Level Mastering (ALM) delivers finer-grain control over how profiles are mastered by letting you specify different profile masters for individual attributes. This Early Access feature is a powerful element of Okta Provisioning. For details, see Setting up Attribute Level Mastering.
Using a profile master necessitates a clear distinction between new imported users versus updates to current Okta users. Okta uses matching rules to maintain a link between the profile master source and Okta to prevent conflicts. These rules can be set from the Provisioning/Settings tab of the mastered app or directory (see User Creation & Matching under Provisioning and Deprovisioning for details).
The flow of a user's identity throughout the different cycles of access (creation, update, and removal of access to resources) is known as a user’s life cycle. A profile master can determine the beginning of this cycle, and is enabled within the provisioning and import space. For details on how profile mastering factors into provisioning, and a general overview of all provisioning options, see Provisioning and Deprovisioning.