This is an Early Access feature. To enable it, contact Okta Support.
Hide sensitive attributes
Making an Okta user profile attribute sensitive hides information stored in attribute fields. Okta Super admin permissions are required to make an attribute sensitive and use sensitive attributes in SAML assertions or mapping attributes.
When you make attributes sensitive, consider the following:
- Do not mark a sensitive attribute as required — When a user edits their profile, an error message appears prompting the user to correct Value for required property sensitive is missing. The Okta user profile expects the attribute but the user cannot see or edit the attribute. Users cannot save their profile changes until a Super admin edits the Okta user profile to mark the attribute as not required.
- The User Permission field — This field is always treated as Hide for sensitive attributes. Changing the setting will not change the field behavior.
API access management — If API access management is enabled for your tenant, these roles can see all attributes in the API token preview functionality in the Admin UI: Super admin, Org admin, Read-only admin, and API AM admin.
To make an attribute sensitive, you map the attribute from the app to the Okta user profile. For example, to make an employee number stored in Active Directory (AD) sensitive, you map the AD attribute to the Okta user profile attribute and mark it as sensitive. You then map the Okta user attribute to an app such as Workday. The data moves from AD, through Okta, to the app. See Work with profiles and attributes.
Using sensitive attributes in SAML assertions provides extra validation when a user is signs in to an app. See Mapping Active Directory, LDAP, and Workday Values in a Template SAML or WS Fed Applications
Only the following Okta base attributes can be marked sensitive: Secondary email, Postal Address, City, and Zip code.
- In the Admin Console, go to Directory > Profile Editor.
- Select Okta in the Filters list.
- Click Profile for Okta User (default). If Profile is unavailable, click User (default).
- In the attribute list, click information for the attribute you want to make sensitive.
- Select the Sensitive data check box.
- Click Save Attribute.
The sensitive attribute displays as asterisks in the user's profile.