When you add a user in Okta, you are creating a user account—or user profile, for the user in the Universal Directory. Universal Directory is the user store for all Okta users.
User accounts often originate in a third-party app. During provisioning, if an existing app user account matches an Okta user account, then the Okta account and app account are matched and linked.
The method used to manage (master) users is determined by how user data is added to Okta. Three methods are available to create user profiles: manually, importing from a directory or application, or importing from a CSV file.
Manually create user profiles
Users manually created in Okta are mastered by Okta and Okta is the single source of truth for these users. User data is managed or "mastered" in Okta and Okta is the most current source for user data.
For example, if you integrate with Salesforce for provisioning, users created in Okta are pushed to Salesforce, but are managed in Okta. Updates and terminations made in Okta are reflected in Salesforce (and any other integrated, third-party application that’s part of the process). This downstream connection lets you to have a single source of truth, where any changes made in Okta are reflected in Salesforce. As the single source of truth, Okta manages employee and contractor access to applications.
Okta pushes user information to the integrated, third-party application, which results in the creation of a user account within the application.
When user account information is updated in Okta, this information is pushed to the integrated, third-party app where the application user account is also updated.
Import user profiles from a directory service or app
User data can be imported into Okta from:
- Directory services such as Active Directory or LDAP. See Manage Active Directory users and groups
- Human resources applications such as Workday. See Workday Provisioning.
- Customer relationship management (CRM) applications such as Salesforce. See Enable Salesforce provisioning
- Application suites such as Microsoft Office 365. See Provision users to Office 365.
Users created in a directory service or integrated, third-party application are pushed to Okta and new AppUser objects are created, for matching against existing Okta user accounts, or creating new Okta user accounts.
Profile Mastering is a more sophisticated process for importing user data and makes an application or a directory the source of truth for user attribute information. Profile Mastering defines the flow and maintenance of user-object attributes and their lifecycle state. When a user profile is mastered from a directory or application, the Okta user profile’s attributes and lifecycle state are derived exclusively from that resource. An Okta user mastered by an application or directory has an Okta profile, but the profile cannot be edited in Okta and all user information is derived exclusively from the application or directory. If the user profile in the application or directory is disabled, the linked Okta user profile moves to the Deactivated lifecycle state on the next import.
You can use the Import User Schema feature, or Schema Discovery, to import additional user attributes from apps such as Salesforce.
Use one of the following integration strategies to import user data:
- Active Directory (AD) integration.
- LDAP integration
- Application integration
- JIT provisioning
Use the Okta Active Directory (AD) agent to synchronize user data between Okta and your AD instance. You can set up Real-time Synchronization and Just-In-Time (JIT) Provisioning to make sure that the user profiles remain current without the need to wait for a scheduled import.
Use the Okta LDAP agent to synchronize user data between Okta and your LDAP instance. You can set up Real-time Synchronization and Just-In-Time (JIT) Provisioning to make sure that the user profiles remain current without the need to wait for a scheduled import.
Integration with applications such as Salesforce or Workday is useful when you want to make the application the single source of truth for user data. AD becomes a downstream provisioning target. This feature provides ongoing profile synchronization and ensures efficient on-boarding.
User accounts are automatically created in Okta the first time a user authenticates with AD Delegated Authentication, Desktop SSO, or inbound SAML.
Import users from a CSV file
Users are imported from a CSV file and managed in Okta. Any user profile changes are pushed to integrated, third-party applications.
User lifecycle changes such as a position change, app license expiration, or employment termination trigger certain provisioning functions that change the user's lifecycle state.