Okta Provisioning

Okta Lifecycle Management (LCM) is a product with multiple functions. These include imports, access-request workflow, groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups., group rules, and provisioning to and from applications (cloud-based and on-premises). The latter of these—Okta ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications., is foundational to LCM.

Within an organization, there are applications and users who need access to these applications. Users and applications are the only mandatory items that you must configure to use Okta.

Okta Provisioning functions

Okta Provisioning is a workflow comprised of various functions. These functions are best described by the CRUDReferencing the common database operations of Create, Read, Update, and Deactivate (instead of Delete). The CRUD principle is used in Okta for the management of users in the Okta Universal Directory. principle—the common database operations of Create, Read, Update, and Deprovision (instead of Delete) users.

When events occur that impact a user's lifecycle, such as an employee position change, appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. license expiration, and employment termination, Okta Provisioning functions are triggered that can then change the user's lifecycle state (see Triggering events and user identity flow).

The following are the Okta Provisioning functions:

Who can perform Okta Provisioning?

A super adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. and app admin can assign users to applications. The Super Administrator Role assigns a person full permissions. If Okta app groups are utilized, a group admin can provision users to applications.


The Okta Administrator configuring the application will also need to have admin access to the desired application in order to authorize API provisioning within the application from Okta.

Okta Provisioning and app integration

Okta Provisioning synchronizes the lifecycles of user accounts across the Okta spectrum of app integrations from cloud to on-prem. Integration provides for the automated provisioning of apps.

There are hundreds of pre-built connectors in the Okta Integration Network (OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs.) for cloud-based and on-premise apps.

Apps that can be Okta Provisioned

Cloud and on-prem apps can be provisioned, regardless if they are upstream or downstream of Okta. An upstream app is one that sends user data to Okta. A downstream app is one that receives user data from Okta.


Deprovisioning is the deactivation of users in an assigned app to which they were provisioned.

Organizations usually have policies to keep deprovisioned user accounts available for a period of time. This is useful if information needs to be restored.


When an application assignment is removed (deprovisioned) from a user in Okta, Okta does not delete the user’s account, rather it deactivates the user’s account in the integrated, third-party app. Some applications may support additional options, such as deleting the user’s account. However, these options vary from app to app.

Provisioning for an SSO-enabled app

An SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.-enabled app can be enabled for Okta Provisioning without breaking the SSO functionality. However, if you would rather not make any changes to your SSO-enabled app, you can create another instance of the app where Okta Provisioning is enabled. The SSO-enabled app and the provision-enabled app are "linked" through the use of the same user folders. This affords provisioning functions to the SSO-enabled app.

The provision-enabled app runs in the background and is not accessible to end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins.. (The app is not in the end-user orgThe Okta container that represents a real-world organization..) End users will only have access to the SSO-enabled app. The provision-enabled app is only for user and app management.

With Salesforce as the example app used in the user guide, the app enabled for SSO is referred to as “Salesforce – SSO” and the app enabled for Okta Provisioning is referred to as “Salesforce – PROV”.

What's next?

Now that you have a deeper understanding of Okta Provisioning, let's use your knowledge to either Give it a try: Set up Okta Provisioning for a new app or Give it a try: Set up Okta Provisioning for an existing SSO-enabled app.