Using Custom Attributes with Active Directory
For Universal Directory, Active Directory (AD) is just another application. That is, AD has its own unique AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. User Profile within Okta. You can view user profiles for directories in Directory > Profile Editor.
Previously, Okta managed usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. based on a static AD profile, comprised of 19 attributes. These were not configurable, and could only be viewed under the profile sub-tab for a user.
With UD, Okta has introduced the Profile Editor, which gives admins complete control over the AD app profile for a user. Admins can now add and remove attributes from the profile, customize attribute mappings, and perform data transformations within the inbound or outbound flows. The screenshot below shows the new Profile Editor user interface.
The first thing you'll notice is that there is a distinction between base and custom attributes. For AD, only 9 attributes are considered base. This means that for Okta, a minimum AD profile contains only 9 attributes—not the 19 we previously supported. Every attribute outside of the 9-field base profile is considered custom. Some of these custom attributes were previously part of the static profile, but now with UD, you can remove them.
- Go to Profile Editor.
- Click Profile in the Actions column for the directory you want to update.
- Click Add Attribute.
- In the Pick Schema Attributes window, select the attributes you want to add.
- To remove a custom attribute, find it in the Pick Schema Attributes window and then click X to delete it.
You can only add attributes to the AD profile if they are already in Active Directory, so Okta first does a schema discovery step to populate the attribute picker. For Okta to discover the attribute, it must be added to an object within the User object hierarchy in AD. That is, the attribute has to be added to either the user object, a parent object, or an auxiliary object in order to be discovered during this process.
Executing schema discovery takes a few seconds. When finished you are provided with a list of the attributes that Okta is permitted to discover in AD.
When a directory is integrated into Okta, some Active Directory attributes are mapped, as a convenience, by default. The mappings can be adjusted to suit your organization’s needs. The default mappings are as follows:
|<Configured user ID>*||login|
* The user ID is configured within the directory integration interface within Okta.