Workplace by Facebook Provisioning Guide*

* Important: This guide is a work in progress, until further notice, continue using these Provisioning Instructions.

This guide provides the steps required to configure ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. for Workplace by Facebook.


FEATURES

  • Import New Users
  • Import Profile Updates
  • Import User Schema
  • Push New Users
  • Push Profile Updates
  • Push Password Updates
  • Push User Deactivation
  • Push Group*

    *Important

    If you want to use group push for Workplace by Facebook, contact Okta Support and ask them to enable FACEBOOK_AT_WORK_ENABLE_GROUP_PUSH_ENHANCEMENTS.


REQUIREMENTS

To enable Provisioning Features, you need to first obtain an Organization ID from Facebook.

Once you receive your Organization ID, you can create a new Facebook application, as described below.


CONFIGURATION STEPS

  1. In Okta, navigate to AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console > Applications, then click Add Application.
  2. Search for Workplace by Facebook, then click Add:

  3. Under General Settings, enter an Application label, your SubDomain, and Organization ID (see REQUIREMENTS) values, then click Done:

  4. Select the Provisioning tab, then click Configure API Integration:

  5. Check Enable API integration, then click Authenticate with Workplace by Facebook:

  6. A new window with your Workplace organization will open, you might be required to enter your Facebook administrator credentials to allow Okta to use the API on your behalf. To do this, click Add to Workplace.

  7. After a series of redirects happen, your new application is configured, click Save and close this window with your Facebook orgThe Okta container that represents a real-world organization. settings.

  8. Once you see a Workplace by Facebook was verified successfully message, click Save.
  9. Select To AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. in the left panel, then select the Provisioning Features you want to enable, then click Save:


SCHEMA DISCOVERY

Workplace by Facebook supports User's Schema DiscoveryAbility to import additional attributes to Okta, so you can add extra attributes to User's Profile. To do that in Okta:

  1. Navigate to Directory > Profile Editor.
  2. Select the APPS section in the left pane, then find your app in the list.
  3. Check the list of the attributes. If you don't find what you need, click Add Attribute to display a list of extended attributes.
  4. Check the attributes you want to add, then click Save.
  5. You are now able to import and push these User attributes values from/to Facebook.

Location attribute:

By default, when creating/updating a Facebook User, Okta populates User Location with comma-separated address properties (street, city, state, etc.). If this behavior does not fit your needs, you can add a Location field to AppUser through Schema Discovery and map it accordingly, as follows:

  1. Click Refresh Attribute List.
  2. Find the Location field in the list of attributes.
  3. Add it to the AppUser profile.
  4. Setup mapping for the Location field from Okta to Workplace by Facebook.

    For example: user.city > location


TROUBLESHOOTING


LIMITATIONS

Our current Workplace Facebook connector is capable of pulling manager/employee relationship from a single AD domain, but for those using provisioning with Okta into Facebook and pulling user data from multiple AD domains, Okta cannot provision users due to an inability to pull these relationships across multiple domains. This is a known limitation we plan on resolving in the near future.

Top