Configure Okta Provisioning for Salesforce

You can configure the Okta integration with Salesforce either with Single Sign On (SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.), Okta ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications., or SSO + Okta Provisioning enabled. In addition to the default attributes provided by Salesforce, you can use Schema DiscoveryAbility to import additional attributes to Okta to add additional attributes to the Salesforce profile in Okta.

Enable SSO

Security Assertion Markup Language (SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated.) is a standard for logging into applications. This single sign-on (SSO) login standard is more secure and convenient than using a username and password.

To enable SSO for Salesforce:

  1. From Okta, choose Applications > Applications, select, and then click the Sign On tab.
  2. Select SAML 2.0 and then click View Setup Instructions.

Enable Okta Provisioning

To enable Okta Provisioning for Salesforce:

  1. Create an administrator account in Salesforce.

    The account username and password that you specify is used to configure Salesforce in Okta.

    Salesforce provides you with a token that's also used to configure Salesforce in Okta.



    If you reset the account password, Salesforce provides you with a new token. From Okta, you will then need to edit the Salesforce provisioning settings using the new token and your Salesforce password as described below.

  2. From Okta, go to Applications > Applications > Salesforce appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. > Provisioning and click Configure API Integration.

  3. Select the Enable API integration check box.

  4. Enter the username and password + token associated with your Salesforce administrator account.

    Append the Salesforce token to your password with no spaces or other characters.

    Important Note


    • To avoid breaking the integration when the password is reset, use a dedicated API account for connecting Okta to Salesforce.
    • Do not enable delegated authentication in Salesforce for the API user specified here.
  5. Click Test API Credentials.

    If successful, a verification message appears.

  6. Select To App in the left navigational panel and then click Edit to select desired provisioning features.

  7. To enable Salesforce to master Okta users or to change user import rule settings, or both, select To Okta in the left navigational panel.

  8. Click Save.

    You can now assign people to Salesforce and finish the application setup.

Add additional attributes to the Salesforce profile

Schema Discovery enables you to add additional attributes to the Salesforce profile in Okta, which makes them available to map to and from an Okta user profile.

To add additional attributes to the Salesforce profile:

  1. From the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. dashboard, select Directory > Profile Editor.
  2. Click Apps in the left navigational panel and then select the relevant Salesforce application profile.

  3. Click Profile for Salesforce.

  4. Click Add Attribute and then select the desired attributes.



    If the Salesforce instance you configured in Okta does not provide a list of Salesforce attributes, but instead presents fields where you manually add attributes, then the Salesforce instance does not allow for Schema Discovery. Install a new instance from OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. to gain Schema Discovery capability.

  5. Click Save.

    You can now utilize the selected attributes in your profile mappings both to and from Okta.

Supported custom attribute types

Listed here are the possible custom attribute types for Salesforce, made available by Schema Discovery. Custom attribute types supported by Okta can be added to the Salesforce profile. Some non-supported custom attribute types can be added to the Salesforce profile, but the results of this usage may vary (indicated by ○).

Attribute data type Supported
Auto Number  
Roll-Up Summary  
Hierarchical Relationship  
Picklist (multi-select)
Text Area
Text Area (long)
Text Area (rich)
Text (encrypted)


  • The Salesforce integration only supports the Salesforce User object. Contacts, Accounts, and Opportunity objects are not supported.
  • Okta cannot auto-update all user attributes in Salesforce while selectively excluding Profile or Role from being updated.