Workplace by Facebook
This guide provides the steps required to configure Provisioning for Workplace by Facebook.
- Import new users
- Import profile updates
- Import user schema
- Push new users
- Push profile updates
- Push password updates
- Push user deactivation
- Push group
To enable group push enhancements, contact Okta Support.
To enable Provisioning features, you need to first obtain an Organization ID from Facebook.
After you receive your Organization ID, you can create a new Facebook application, as described below.
- Go to Okta Admin Console > Applications, then click Add Application.
- Search for Workplace by Facebook, then click Add.
- Under General Settings, enter an Application label, your SubDomain, and Organization ID (see Requirements) values, then click Done.
- Go to the Provisioning tab, then click Configure API Integration.
- Check Enable API integration, then click Authenticate with Workplace by Facebook.
- A new window with your Workplace organization opens. You may be required to enter your Facebook administrator credentials to allow Okta to use the API on your behalf. To do this, click Add to Workplace. Note that the Add Okta Identity to groups option should be selected as All groups.
- After a series of redirects, your new application is configured. Click Save and close this window with your Facebook org settings.
- When the Workplace by Facebook was verified successfully message appears, click Save.
- Select To App in the left panel, then select the provisioning features you want to enable, then click Save:
Workplace by Facebook supports User's Schema Discovery, so that you can add extra attributes to a user's profile. To do that in Okta:
- Go to Directory > Profile Editor.
- Select the APPS section in the left pane, then find your app in the list.
- Check the list of the attributes. If you don't find what you need, click Add Attribute to display a list of extended attributes.
- Check the attributes you want to add, then click Save.
- You are now able to import and push User attributes values from or to Facebook.
By default, when creating or updating a Facebook user, Okta populates the user Location with comma-separated address properties (street, city, state, etc.). If this behavior doesn’t fit your needs, you can add a Location field to AppUser through Schema Discovery and map it accordingly, as follows:
- Click Refresh Attribute List.
- Find the Location field in the list of attributes.
- Add it to the AppUser profile.
- Set up mapping for the Location field from Okta to Workplace by Facebook.
For example: user.city > location
The Workplace Facebook connector can pull the manager/employee relationship from a single AD domain. However, if you use provisioning with Okta into Facebook and pull user data from multiple AD domains, Okta can’t provision users due to the inability to pull these relationships across multiple domains.
Set the manager attribute
Configure mapping for the manager attribute according to the table below (See Okta Expression Language for more details):
|Scenario||Manager attribute mapping|
|Don’t push the manager to Facebook at Work||empty|
|Push the manager only for users from Okta||user.manager|
|Push the manager for users imported from AD||getManagerAppUser("active_directory", "facebook_at_work").userName|
|Push the manager for user from Okta and from AD||hasDirectoryUser() ? getManagerAppUser("active_directory", "facebook_at_work").userName : user.manager|
Migration Push Manager to Okta expression language for existing app instances
- Go to Early Access features and enable Enable Okta Expression Language for manager attribute mapping for Facebook at Work. This feature is only available for existing app instances.
- Configure mapping for the manager attribute according to the table below (See Okta Expression Language for more details):
|Scenario||Manager attribute mapping|
|Don’t push manager to Facebook at Work||empty|
|Push manager only for users from Okta||user.manager|
|Push manager for users imported from AD||getManagerAppUser("active_directory", "facebook_at_work").userName|
|Push manager for user from Okta and from AD||hasDirectoryUser() ? getManagerAppUser("active_directory", "facebook_at_work").userName : user.manager|
Adding a confirmed member leads to push group error
Error: The user is not a member of the parent group.
- Go to Admin panel > People in your Workplace by Facebook account.
- Check the Account Status for users in group. No users should be in a Deactivated state.