Work with Okta user profiles and attributes

Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API. (UD) delivers rich user profiles and fine-grained control over how attributes flow between applications. This makes it easier for organizations to create and maintain a single source of truth for its users, enabling new authentication and provisioning scenarios.

As you configure and deploy your Okta orgThe Okta container that represents a real-world organization., you will need to understand what attributes will need to be part of the Okta user profile. Factors you will need to consider include whether you are using a directory such as Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. or LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services., or another appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. as a profile masterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering. such as an HR app. To learn more about how UD and Profile Editor work to help you manage user profiles and attributes, see About Universal Directory and user profiles.

Working with the Okta user profile and attributes includes the following:

Enforce custom attribute uniqueness

You may wish to enforce attribute uniqueness across your organization for custom attributes in the Okta user profile. For example, employee identification number. You may mark up to 5 attributes as unique.

You can only enforce uniqueness in custom attributes in the Okta user profile. If you are importing users from Active Directory or LDAP and attempt to import one or more users who would violate the uniqueness requirement, import will fail on those users.

If an end user edits their profile and attempts to enter a duplicate value for a custom attribute that has the uniqueness restriction applied to it, they will see a message that the value already exists. They will be unable to save their change until they enter a unique value.

When you mark an existing custom attribute as requiring a unique value, Universal Directory will run a validation check to ensure that no duplicate entries already exist.

  • This check may take some time, depending on how many user records you have.
  • A status message on the Profile Editor page indicates:
    • how many records have been checked
    • how many duplicates have been found and,
    • the estimated time remaining.
  • If duplicate records are found meaning the attribute cannot currently have uniqueness applied to it, the Restriction check box will be cleared automatically. You will have to resolve the duplicate values before applying uniqueness to the attribute.

To enforce uniqueness for a custom attribute:

  1. In the Profile Editor, click the Okta Profile to edit the Okta user profile attributes.
  2. Scroll to the custom attribute you want to mark as unique.
  3. Click Edit.
  4. For Restriction , select that the value must be unique for each user.

    While Okta verifies that the existing data is unique across all users, the check box is grayed out. To remove the uniqueness requirement, deselect the option.

  5. Click Save Attribute.

The status message on the Profile Editor page displays the validation progress and status. This message is displayed to all admins viewing the Profile Editor page so that they are aware a validation check is running.

Related Topics

About Universal Directory and user profiles

Enforce uniqueness on custom attributes

Hide sensitive attributes