Okta provisioning workflow

The Okta provisioning workflow is comprised of various functions. These functions are best described by the CRUDReferencing the common database operations of Create, Read, Update, and Deactivate (instead of Delete). The CRUD principle is used in Okta for the management of users in the Okta Universal Directory. principle — the common database operations of Create, Read, Update, and Deprovision (Delete) users.

When events occur that impact a user's lifecycle, such as an employee position change, appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. license expiration, or employment termination, Okta provisioning functions are triggered and the user's lifecycle state changes.



More Information

Create user accounts

Users are managed (mastered) based on the method used to add them to Okta. Users can be imported (read) from a directory service or app. Also, users can be manually created in Okta

See Add a user manually.
Update user account information in the integrated, third-party application
  • Group push

    This feature enables you to take existing groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. in Okta and their memberships, and push them to an integrated, third-party application. These groups in the application now have their memberships mastered by Okta.

  • Push profile updates

    When updates are made to the user's profile through Okta, this feature "pushes" the updated profile to the integrated, third-party app. This keeps the user profile in the app in sync with the Okta user profile.

  • Password push (sync password)

    Okta sets the user’s password to either match the Okta password or to be a randomly generated password.

    This feature pushes the user's Okta password to the integrated, third-party application. This push occurs during initial Okta set up, Okta log on, or whenever a user's Okta password changes. Passwords will also be synced from AD to Okta.

See Using Group Push.

See Synchronize passwords .

Deprovision (deactivation) and re-activation of user accounts or groups

Deprovisioning is basically provisioning in reverse where Okta pushes a request to an integrated, third-party app to disable the user account within the app. This function triggers a lifecycle change that removes a user's access to the app

Reactivating the user through Okta reactivates the user in the integrated, third-party application.

See Deprovision a user.