Okta Lifecycle Management (LCM) is a product with multiple functions. These include imports, access-request workflow, groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups., group rules, and provisioning to and from applications (cloud-based and on-premises). The latter of these—Okta ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications., is foundational to LCM.
Within an organization, there are applications and users who need access to these applications. Users and applications are the only mandatory items that you must configure to use Okta.
Okta Provisioning is a workflow comprised of various functions. These functions are best described by the CRUDReferencing the common database operations of Create, Read, Update, and Deactivate (instead of Delete). The CRUD principle is used in Okta for the management of users in the Okta Universal Directory. principle—the common database operations of Create, Read, Update, and Deprovision (instead of Delete) users.
When events occur that impact a user's lifecycle, such as an employee position change, appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. license expiration, and employment termination, Okta Provisioning functions are triggered that can then change the user's lifecycle state (see Triggering events and user identity flow).
The following are the Okta Provisioning functions:
Create user accounts
Users are managed (mastered) based on the method used to add them to Okta. Users can be imported (read) from a directory service or app. Also, users can be manually created in Okta.
Update user account information in the integrated, third-party application
This feature enables you to take existing groups in Okta and their memberships, and push them to an integrated, third-party application. These groups in the application now have their memberships mastered by Okta.
See Using Group Push.
Push profile updates
When updates are made to the user's profile through Okta, this feature "pushes" the updated profile to the integrated, third-party app. This keeps the user profile in the app in sync with the Okta user profile.
Password push (sync password)
Okta sets the user’s password to either match the Okta password or to be a randomly generated password.
This feature pushes the user's Okta password to the integrated, third-party application. This push occurs during initial Okta set up, Okta log on, or whenever a user's Okta password changes. Passwords will also be synced from AD to Okta.
See Using Sync Password.
Deprovision (deactivation) and re-activation of user accounts or groups
Deprovisioning is basically provisioning in reverse where Okta pushes a request to an integrated, third-party app to disable the user account within the app. This function triggers a lifecycle change that removes a user's access to the app (see Deprovisioning).
Reactivating the user through Okta reactivates the user in the integrated, third-party application.
Because Okta Provisioning enables you to manage user accounts automatically within applications, many of the traditionally manual tasks required to onboard and offboard employees are eliminated.
The benefits of Okta Provisioning are appreciated by IT, HR, and employees.
- Save money
- Reduce the Total Cost of Ownership (TCO) through the retirement of legacy systems.
- With provisioning less time-consuming and error-prone, organizations can reduce costs.
Improve productivity through automation
- Okta provisioning manages the lifecycles of user accounts across the Okta spectrum of app integrations from cloud to on-prem. Okta integration with applications provide for the automated provisioning of apps using a single source of truth. Single source of truth makes provisioning and deprovisioning simple and quick. In addition to reducing individual onboarding time, it also provides seamless scalability.
- Provisioning and deprovisioning are bi-directional, so accounts can be created inside an application and imported into Okta or added to Okta and then pushed to corresponding applications.
- New users are automatically provisioned with user accounts in their apps.
- Inactive and deactivated employees are automatically deprovisioned from their apps making for instant offboarding.
- With provisioning less time-consuming and error-prone, organizations can enable new employees to be immediately productive.
Allows consolidation of users into Okta from across many separate and independent sources.
- Security is enhanced.
- Decrease security risk when offboarding users
- Securely store users and passwords
- Password policy with options for complexity
- Group-based password policy
- Rich attribute storage and transformation for supporting rich SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. and authorization scenarios based on attributes
- Integrate with internal systems to retrieve dynamic data or additional entitlements for downstream applications
Enhance employee data accuracy and fidelity
Profile updates (example: department changes) populate automatically—synchronizing user attributes across multiple integrations. This would include password synchronization, where the password is pushed across multiple integrations.
- Reduce back-and-forth friction with IT
- Don't pay employees longer than you should
- The ability to natively create, read, and update users in Okta
Audit/Compliance of app assignment records
Audit/Compliance enables you to provide auditors assignment records and show them the process that produced the records.
- Accelerate productivity with day-one app access
- Avoid delays with self-service profile updates
- Consolidated place for updating your profile
Centralization of usernames and passwords
Centralization into Okta provides users with a single access point so they don't have to remember multiple usernames and passwords. User identities live in a lot of different places. With Okta Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API., you can create a centralized view of all your users, wherever they're mastered. It'll make access management more straightforward and secure and give users a consistent experience across all products.
- Save money
A super adminThe super admin receives full access to every item in the Administrative Console and is the only role that can assign administrator roles to other user accounts. Accounts with other administrator role assignments have reduced functionalities to different permission sets. Contact Okta support to create an Okta Mastered account with Super Admin rights. and app adminAn app admin can be granted access to all instances of an app, or just specific instances of that application. This allows for more granular access control. can assign users to applications. The Super Administrator Role assigns a person full permissions. If Okta app groups are utilized, a group adminThe Group Administrator role stands apart from the other admin roles because it allows for increased administrative control. While this role performs mainly user-related tasks (create users, deactivate users, reset passwords, etc.), it can also be used restrict these tasks to a select group or groups of Okta users. In essence, you can “delegate” permissions to a particular admin to manage a specific group. can provision users to applications.
Okta Provisioning synchronizes the lifecycles of user accounts across the Okta spectrum of app integrations from cloud to on-prem. Integration provides for the automated provisioning of apps.
There are hundreds of pre-built connectors in the Okta Integration Network (OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs.) for cloud-based and on-premise apps.
Cloud and on-prem apps can be provisioned, regardless if they are upstream or downstream of Okta. An upstream app is one that sends user data to Okta. A downstream app is one that receives user data from Okta.
Deprovisioning is the deactivation of users in an assigned app to which they were provisioned.
Organizations usually have policies to keep deprovisioned user accounts available for a period of time. This is useful if information needs to be restored.
An SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.-enabled app can be enabled for Okta Provisioning without breaking the SSO functionality. However, if you would rather not make any changes to your SSO-enabled app, you can create another instance of the app where Okta Provisioning is enabled. The SSO-enabled app and the provision-enabled app are "linked" through the use of the same user folders. This affords provisioning functions to the SSO-enabled app.
The provision-enabled app runs in the background and is not accessible to end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control.. (The chiclet for this app is not in the end user orgThe Okta container that represents a real-world organization..) End users will only have access to the SSO-enabled app. The provision-enabled app is only for user and app management.
With Salesforce as the example app used in the user guide, the app enabled for SSO is referred to as “Salesforce – SSO” and the app enabled for Okta Provisioning is referred to as “Salesforce – PROV”.
Now that you have a deeper understanding of Okta Provisioning, let's use your knowledge to either Give it a try: Set up Okta Provisioning for a new app or Give it a try: Set up Okta Provisioning for an existing SSO-enabled app.Top