Okta provisioning workflow

The Okta provisioning workflow is comprised of various functions. These functions are best described by the CRUD principle — the common database operations of Create, Read, Update, and Deprovision (Delete) users.

When events occur that impact a user's lifecycle, such as an employee position change, app license expiration, or employment termination, Okta provisioning functions are triggered and the user's lifecycle state changes.



More Information

Create user accounts

Users are managed (mastered) based on the method used to add them to Okta. Users can be imported (read) from a directory service or app. Also, users can be manually created in Okta

See Add a user manually.
Update user account information in the integrated, third-party application
  • Group push

    This feature enables you to take existing groups in Okta and their memberships, and push them to an integrated, third-party application. These groups in the application now have their memberships mastered by Okta.

  • Push profile updates

    When updates are made to the user's profile through Okta, this feature "pushes" the updated profile to the integrated, third-party app. This keeps the user profile in the app in sync with the Okta user profile.

  • Password push (sync password)

    Okta sets the user’s password to either match the Okta password or to be a randomly generated password.

    This feature pushes the user's Okta password to the integrated, third-party application. This push occurs during initial Okta set up, Okta log on, or whenever a user's Okta password changes. Passwords will also be synced from AD to Okta.

See About Group Push.

See Synchronize passwords .

Deprovision (deactivation) and re-activation of user accounts or groups

Deprovisioning is basically provisioning in reverse where Okta pushes a request to an integrated, third-party app to disable the user account within the app. This function triggers a lifecycle change that removes a user's access to the app

Reactivating the user through Okta reactivates the user in the integrated, third-party application.

See Deprovision a user.