Configure Okta Provisioning for Salesforce

You can configure the Okta integration with Salesforce either with Single Sign On (SSO), Okta Provisioning, or SSO + Okta Provisioning enabled. In addition to the default attributes provided by Salesforce, you can use Schema Discovery to add additional attributes to the Salesforce profile in Okta.

Enable SSO

Security Assertion Markup Language (SAML) is a standard for logging into applications. This single sign-on (SSO) login standard is more secure and convenient than using a username and password.

To enable SSO for Salesforce:

  1. From Okta, choose Applications > Applications, select, and then click the Sign On tab.
  2. Select SAML 2.0 and then click View Setup Instructions.

Enable Okta Provisioning

To enable Okta Provisioning for Salesforce:

  1. Create an administrator account in Salesforce.

    The account username and password that you specify is used to configure Salesforce in Okta.

    Salesforce provides you with a token that's also used to configure Salesforce in Okta.



    If you reset the account password, Salesforce provides you with a new token. From Okta, you will then need to edit the Salesforce provisioning settings using the new token and your Salesforce password as described below.

  2. From Okta, go to Applications > Applications > Salesforce app > Provisioning and click Configure API Integration.

  3. Select the Enable API integration check box.

  4. Enter the username and password + token associated with your Salesforce administrator account.

    Append the Salesforce token to your password with no spaces or other characters.

    Important Note


    • To avoid breaking the integration when the password is reset, use a dedicated API account for connecting Okta to Salesforce.
    • Do not enable delegated authentication in Salesforce for the API user specified here.
  5. Click Test API Credentials.

    If successful, a verification message appears.

  6. Select To App in the left navigational panel and then click Edit to select desired provisioning features.

  7. To enable Salesforce to master Okta users or to change user import rule settings, or both, select To Okta in the left navigational panel.

  8. Click Save.

    You can now assign people to Salesforce and finish the application setup.

Add additional attributes to the Salesforce profile

Schema Discovery enables you to add additional attributes to the Salesforce profile in Okta, which makes them available to map to and from an Okta user profile.

To add additional attributes to the Salesforce profile:

  1. From the Okta Admin dashboard, select Directory > Profile Editor.
  2. Click Apps in the left navigational panel and then select the relevant Salesforce application profile.

  3. Click Profile for Salesforce.

  4. Click Add Attribute and then select the desired attributes.



    If the Salesforce instance you configured in Okta does not provide a list of Salesforce attributes, but instead presents fields where you manually add attributes, then the Salesforce instance does not allow for Schema Discovery. Install a new instance from OIN to gain Schema Discovery capability.

  5. Click Save.

    You can now utilize the selected attributes in your profile mappings both to and from Okta.

Supported custom attribute types

Listed here are the possible custom attribute types for Salesforce, made available by Schema Discovery. Custom attribute types supported by Okta can be added to the Salesforce profile. Some non-supported custom attribute types can be added to the Salesforce profile, but the results of this usage may vary (indicated by ○).

Attribute data type Supported
Auto Number  
Roll-Up Summary  
Hierarchical Relationship  
Picklist (multi-select)
Text Area
Text Area (long)
Text Area (rich)
Text (encrypted)


  • The Salesforce integration only supports the Salesforce User object. Contacts, Accounts, and Opportunity objects are not supported.
  • Okta cannot auto-update all user attributes in Salesforce while selectively excluding Profile or Role from being updated.