About provisioning

Provisioning uses the SCIM protocol to synchronize user account information between your user store and the external applications your users access every day.

Provisioning saves time when setting up new users and teams, and helps you manage access privileges through the user lifecycle. Okta can create, read, and update user accounts for new or existing users, remove accounts for deactivated users, and synchronize attributes across multiple user stores.

The provisioning and deprovisioning actions are bi-directional, so you can create accounts inside an external application and import them into Okta. Or you can create the accounts in Okta and then push them out to any integrated external application.

If provisioning is supported, external cloud and on-premises applications can be provisioned whether they're upstream or downstream of Okta. An upstream application is one that sends user data to Okta. A downstream application is one that receives user data from Okta.

There are hundreds of pre-built app integrations in the Okta Integration Network (OIN) to help you manage provisioning with external cloud-based and on-premises applications.

Advantages

Using Okta to provision user account information combines the robustness and flexibility of Okta Universal Directory with the security of Okta federated authentication methods.

  • Account management: Use Okta to create and assign usernames, profiles, and permissions and bind your users' accounts to a single corporate user ID and password.
  • Importing users: Import users from Active Directory (AD), Lightweight Directory Access Protocol (LDAP), or certain human resources apps. You can do a bulk user import, or you can configure Okta to regularly pull user profile data from a source of truth so your system always has the latest updates.
  • Configuring rules and workflows: Require specific password rules, synchronize and import groups from external applications, and automatically deprovision users in Okta, AD, or LDAP.
  • Reports: Generate reports and audit trails to determine where changes are required to ensure efficiency.

Scenarios

Okta provides several methods for handling provisioning in a cloud-based environment:

  • AD integration provides a lightweight, on-premises Active Directory integration to synchronize with your AD configuration. You can set up real-time synchronization and Just-In-Time provisioning so that you always have the latest user profiles and don't have to wait for scheduled imports.
  • LDAP integration provides integration with several popular LDAP vendors using a lightweight agent. The LDAP integration provides real-time synchronization and JIT provisioning, similar to the AD agent.
  • HR-driven IT provides automated provisioning from external HR applications (for example, Workday, SuccessFactors, UltiPro, BambooHR, and Namely). This type of provisioning is useful for companies that want to use their HR systems as a source of truth for their users. Active Directory becomes a downstream provisioning target. This feature provides ongoing profile synchronization and ensures efficient on-boarding.

Deprovisioning

The deprovisioning features increase your organization's security profile by removing access to sensitive applications and content from people who leave your organization. Deprovisioning a user automatically removes them from any assigned app integration to which they were provisioned. Aside from the security aspect, deprovisioning is also important for compliance reasons and helps you to maintain an accurate usage count for your external applications.

You can deprovision a user directly from within Okta or through AD.

For app integrations that support the functionality, user access is automatically removed when the user account is deprovisioned. For app integrations that require manual deprovisioning of users, Okta admins receive a notification for any users that require manual deprovision users.

Organizations usually have policies to keep deprovisioned user accounts available for a period of time. This is useful if the account needs to be restored at a later time, or if information needs to be retrieved from a deprovisioned account.

Note

When an assignment is removed (deprovisioned) from a user in Okta, Okta doesn't delete the user’s account. The account is put into a deactivated state in the external application, and the user's access to the app integration is removed from Okta. Some external applications may support deleting the user’s account in the external application.

Permissions

A super administrator and an app administrator can assign users to app integrations. The super administrator role assigns a person full permissions.

If Okta groups are used, a group administrator can provision users or groups of users to an app integration.

Note

The Okta administrator configuring the app integration needs App Admin permissions to authorize the API provisioning that connects the external application with Okta.