Give it a try: Set up Okta Provisioning for a new app

To ensure your understanding of Okta ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications., exercises are provided to guide you through the Okta Provisioning workflow for Salesforce, based on common, best-practice procedures. It starts with adding an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. to Okta. Next, is configuring the app for provisioning and then giving users access to it. The workflow also includes the deactivation and re-activation of user accounts within apps.

While not done in the exercises, users can be added to Okta by importing them from an external directory such as AD or LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services., an HR-management app such as Workday, an CRM-type app such as Salesforce, or a suite-type app such as Microsoft Office. To manage users from these various user stores and assign them access to an app, it may be best to assign all these user stores to an Okta group with access rights to the desired app.

Before you begin

Ensure Salesforce is OIN supported


Salesforce being a popular CRM app, it's already one of 6,000+ apps in the Okta Integration Network (OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs.) having provisioning capabilities. But as an exercise, let's go through the quick process to see if Salesforce is OIN supported.


  1. Access this website and then specify "Salesforce" in the Search for your tech field.

    Located Salesforce apps appear below the search field.

  2. To learn more about a located Salesforce app, click on the desired app.

Acquire a Salesforce demo account

An account with Salesforce is required in order to do the Okta Provisioning exercises in this user guide. The demo account offered by Salesforce is a master subscription with no expiration. You will access this account from within the Okta Preview SandboxA sandbox environment that you request from Okta. This sandbox is an org that lives in oktapreview. It gives you complete access to a fully functioning version of Okta to test things like AD integrations and application configurations prior to pushing them out to your full set of users..

Acquire an Okta Preview Sandbox account

With the Okta Preview Sandbox, you have complete access to a fully functioning version of Okta to test things like AD integrations and application configurations prior to pushing them out to your full set of users. Running a demo instance in your Okta Preview Sandbox (Okta Preview OrgThe Okta container that represents a real-world organization.) is recommended for the hands-on experience and to see the power and benefits of Okta Provisioning, using Salesforce as a typical app.

If you do not have an Okta Preview Sandbox (<your org>, you can get a free, 30-day trial account with Okta. Once you have your account setup, the Trial Okta Org will work like the production environment.

Ensure you have a user in Okta


Having at least one user in Okta is necessary to perform the exercises in this guide. If you do not have a user in Okta, this procedure provides the details for manually creating a user in Okta.


  1. Launch Okta and on the Sign In page, specify your adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. credentials.

  2. In the top bar, click Admin.

    The Okta Administrator app opens.

  3. Click Directory > People.

  4. Click Add Person.

  5. From the Add Person dialog, complete all the required fields.

    • All fields are required, except those marked "optional".
    • Specifying an email address for the Username field auto completes the Primary email field.
  6. Select Set by admin in the Password drop-down.

  7. Specify a password in the field below the drop-down.

  8. Deselect the User must change password on first login checkbox.

  9. Click Save.

    • You return to the People page where the new user is listed, having a status of active.
    • In a real-life situation, you would have to pass the new user his or her password in order for this user to login to Okta.

1. Add Salesforce to Okta


Adding Salesforce to Okta makes the app available for configuration and user assignment.


  1. Go to Applications > Applications.

  2. Click Add Application.

  3. Type in the Search for an application field.

  4. Click Add next to

  5. On the General Settings page, accept all the defaults and then click Next.

  6. On the Sign-On Options page, accept all the defaults and then click Done. is now available to be assigned to users in Okta.

2. Configure provisioning for Salesforce


Provisioning Salesforce enables you to manage the user lifecycle between Okta and Salesforce.


  1. Go to Applications > Applications and click the app.
  2. Click the Provisioning tab.
  3. Click Configure API Integration.
  4. Select Enable API integration.

    The page expands down.

  5. Enter your Salesforce administrator username in the Username field.

  6. Enter your Salesforce password and security token in the Password + Token field.

    • Salesforce generates the security token.
    • To obtain a security token from Salesforce:
      1. Open the Salesforce Tenant on a separate tab.

      2. Go to My User > Settings.

      3. From the left navigation under My Personal Information, click Reset My Security Token.

      4. From the Reset My Security Token area, click Reset Security Token.

        Salesforce emails you the new security token.

      5. Copy the security token from your email.

      6. Type your password in the Password + Token field and then paste the security token in the field along with your password.

  7. To test your API credentials, click Test API Credentials.

    If an error occurs, respecify your credentials.

  8. Click Save.

    • Provisioning is enabled.
    • Okta updates the app screen with provisioning options.

  9. Ensure To App is selected in order to push user information down to Salesforce.

  10. To specify provisioning options, click Edit.

  11. Enable all the options and then click Save.

    • For additional details, see the screen text for each option.
    • For the Create Users option, the default username is the name Okta sets in an application when a new user is added.

      To change the default username:

      1. Click the default username link.
      2. From the Sign On tab, click Edit and make the desired selection from the Application username format drop-down.

      3. Click Save.
    • If you assign a user to Salesforce, Okta will push the user information down to Salesforce and create an account for the user within the app.
    • If you update user information in Okta, Okta updates the user account with this information in Salesforce.


      1. Go to Directory > People.
      2. Click the desired user and then the Profile tab.
      3. Click Edit.

      4. In the Title field, specify a title and then click Save.

      5. Map the user title attribute to the appropriate Salesforce attribute.
        1. Go to Applications > Applications.

        2. Click

          Click Provisioning for

        3. Scroll down to the " Attribute Mappings" area and then click Go to Profile Editor.

        4. From the Profile Editor page, click Map Attributes.
        5. From the User Profile Mappings page, click Okta to
        6. Locate title and then type user.title in the field.

          • The text on the right (title string) is from Salesforce.
          • A right-pointing green arrow appears indicating that the user attribute that you specified exists in Okta.
        7. To test the mapping, specify the user in the Preview field.

          The title that you specified in Okta appears on the right in a green box to indicate that the mapping is successful.

        8. Click Exit Preview and then Save Mapping.

        9. Click Apply updates now.

          • Once a user is assigned, the title that you specified in Okta is pushed down to Salesforce and appears in the Title field of the User Edit page.
          • To confirm that the mapping was established with Salesforce, go to Reports > System Log and locate the entry, "Update universal directory mapping" with a status of "success".

3. Assign Salesforce to a user


With Salesforce configured for provisioning, you can assign the app to a user. Assigning a user to Salesforce achieves the same end.


  1. Go to Applications > Applications.
  2. Open the app.
  3. Click the Assignments tab.
  4. From the Assign drop-down, choose Assign to People.

  5. From the Assign to People dialog, click Assign.

  6. From the Profile drop-down, choose Chatter Free User.

  7. Click Save and Go Back.

    Okta returns you to the first Assign to People dialog where the user is listed with a disabled Assigned button. This indicates that Salesforce is now assigned to the user.

  8. From the first Assign to People dialog, click Done.

    • The user is listed in the Assignment tab with type individual.
    • To confirm that the user was assigned to Salesforce, go to Reports > System Log and locate the entry, "Push user's profile to external application" with a status of "success".

4. Deprovision a user


Deprovisioning is the deactivation of users in an assigned app to which they were provisioned.


  1. Go to Directory > People.
  2. Click on the user.

  3. From the user screen, chose More Actions > Deactivate.

  4. From the Deactivate Person dialog, click Deactivate.

    • Now the user cannot sign-in to Okta to access Salesforce.
    • You can always reactivate this user's account at a later time, but the user will have to reset the password.
    • You can go to Salesforce in Okta and see that the user is no longer listed as assigned to it.
    • In the tenant, the user licensing/access is removed.

5. Reactivate a user


Organizations usually have policies to keep deprovisioned user accounts available for a period of time. This is useful if information needs to be restored.

The reactivate process is basically the deprovisioning process in reverse.


  1. Go to Directory > People.
  2. Click on the user.

    This user has the status of Deactivated.

  3. From the user screen, click Activate.

  4. From the "Activate Person" dialog, click Activate.

    • An activation email will be sent to this person informing them that their account is now active. You can edit the content of these emails on the customize email page.
    • Note that the Set Password and Activate button contains a blue check mark. This is because you selected the Set by admin option when adding the user.
  5. Re-assign the Salesforce app to the user.

    This re-associates the Okta user with the non-active account and re-activates it.