About profile types

These are the three profile types supported by Okta Universal Directory:

The Okta user profile

The Okta user profile is comprised of base attributes and custom attributes. End users are people who use Okta to access applications and users are Okta administrators who use Okta to administer their org.

Okta has defined 31 default base attributes for all users in an org. The only base attributes that you can modify or remove are First Name and Last Name. You can mark these attributes as required or optional for Okta sourced users. To import users with empty First Name and Last Name attributes, you must mark the attributes as optional in Okta, or the import fails.

The default format for the Username attribute is an email address. You can use the Format Restriction control to change the default format or replace it with a specific set of allowable characters.

You can only add attributes to the directory profile if they are already in the directory. When importing users, a schema discovery operation is completed first to populate the attribute picker. To let Okta discover attributes, they must be added to a user object, a parent object, or an auxiliary object in the directory.

When the schema discovery is completed, a list of the attributes that Okta has permission to discover in the directory are available.

You can add custom user attributes to define additional user settings. When creating custom attributes, you can't use these reserved keywords: id, externalid, created, lastupdated, scope, status, statuschanged, passwordchanged, syncstate, lastsync, credentials, _links.

The Okta group profile

The Okta default group profile is comprised of base attributes and custom attributes. The base attributes for the Okta default group profile are Name and Description. The Name attribute is a required attribute that is case sensitive and it must be unique. The Description attribute is not a required attribute.

Group profiles are only available for Okta groups and not for app groups.

When creating a new group in the Okta Admin Console, all required attributes are displayed in the Add group dialog. Groups created in the Okta Admin Console inherit the attributes defined in the default Okta group profile.

You can add custom group attributes to define additional user settings. When creating custom attributes, you can't use these reserved keywords: windowsDomainQualifiedName, groupType, groupScope, samAccountName, objectSid, externalId, dn, targetDn, googleGroupEmail, googleExternalId, oldExternalId.

The app user profile

An app user profile lists the app attributes that Okta can read and write to (read-only for identity provider). An app profile controls the attributes that Okta pushes to an app or imports from an app.

Like user profiles, app profiles have both base attributes and custom attributes. App user profiles can only be extended with attributes from a predefined list that Okta dynamically generates. Okta generates the list of attributes by querying the third-party application or directory for supported attributes. Each app controls which custom attributes it supports. The Okta profile can only be customized with attributes that the app supports. You cannot create a custom attribute for an app.