When you add a user in Okta, you are creating a user account — a user profile — for the user in the Okta Universal Directory. Universal Directory is the user store for all Okta users.
User accounts often already exist in external applications. During provisioning, if an existing user account in an external application matches an Okta user account, then the Okta account and the external application account can be matched and linked.
The method used to manage users is determined by how user data is added to Okta. Three methods are available to create user profiles:
- Manually create user profiles
- Import user profiles from a directory service or app
- Import users from a CSV file
Users that are manually created in Okta use the Okta Universal Directory as the single source of truth for these users.
When provisioning is configured in an Okta app integration, Okta pushes user information down to the external application, which results in the creation of a user account within that external application.
Later, if user account information is updated in Okta, then this information is pushed out to the external application where the user account is updated.
For example, if you integrate with Salesforce for provisioning, users created in Okta are pushed to the Salesforce application, but are managed in Okta. Updates and terminations made in Okta are automatically reflected in Salesforce (or any other external applications that are part of your provisioning flow). These downstream connections have a single source of truth, so there is no issue with conflicting user profile information from multiple upstream profiles.
User data can be imported into Okta from:
- Directory services, such as Active Directory (AD) or Lightweight Directory Access Protocol (LDAP). See Manage Active Directory users and groups
- Human resources applications, such as Workday. See Workday
- Customer relationship management (CRM) applications, such as Salesforce. See Enable Salesforce provisioning
- Application suites, such as Microsoft Office 365. See Provision users to Office 365
Use one of the following integration strategies to import user data:
- AD or LDAP integration
- Application integration
- JIT provisioning
Use the Okta Active Directory (AD) Agent or the Okta LDAP Agent to synchronize user data between Okta and your directory instance. You can set up real-time synchronization and Just-in-Time (JIT) provisioning to keep the user profiles current without needing to wait for a scheduled import.
Integration with external applications such as Salesforce or Workday is useful when you want to make that external application the single source of truth for user data. AD becomes a downstream provisioning target. This feature provides ongoing profile synchronization and ensures efficient on-boarding.
User accounts are automatically created in Okta the first time a user authenticates with AD Delegated Authentication, Desktop SSO, or inbound SAML.
Users created in a directory service or external application are pushed to Okta and new AppUser objects are created, for matching against existing Okta user accounts, or creating new Okta user accounts.
You can use the Import User Schema feature, or Schema Discovery, to import additional user attributes from apps such as Salesforce.
Profile Sourcing is a more sophisticated process for importing user data and makes an external application or a directory the source of truth for user attribute information and their lifecycle state. When a user profile is sourced from an external application or directory, the Okta user profile’s attributes and lifecycle state are derived exclusively from that resource. An Okta user that is sourced by an external application or directory has an Okta profile, but the profile cannot be edited in Okta. If the user profile in the external application or directory is disabled, the linked Okta user profile moves to the Deactivated lifecycle state on the next import.
User information is imported from a CSV file and managed in Okta. Any user profile changes are pushed to external applications.
As with any other Okta user profile, any lifecycle changes such as a position change, app license expiration, or employment termination trigger the automated provisioning functions that update the user's lifecycle state.