Provisioning
Provisioning uses the SCIM protocol to synchronize user account information between your user store and the external apps your users access every day.
Provisioning saves time when setting up new users and teams, and helps you manage access privileges through the user lifecycle. Okta can create, read, and update user accounts for new or existing users, remove accounts for deactivated users, and synchronize attributes across multiple user stores.
The provisioning and deprovisioning actions are bidirectional, so you can create accounts inside an external app and import them into Okta. Or you can create the accounts in Okta and then push them out to any integrated external app.
If provisioning is supported, external cloud and on-premises apps can be provisioned whether they're upstream or downstream of Okta. An upstream app is one that sends user data to Okta. A downstream app is one that receives user data from Okta.
There are hundreds of pre-built app integrations in the Okta Integration Network (OIN) to help you manage provisioning with external cloud-based and on-premises apps.
Benefits
Using Okta to provision user account information combines the robustness and flexibility of Okta Universal Directory with the security of Okta federated authentication methods.
- Account management: Use Okta to create and assign usernames, profiles, and permissions and bind your users' accounts to a single corporate user ID and password.
- Importing users: Import users from Active Directory (AD), Lightweight Directory Access Protocol (LDAP), or certain human resources apps. You can do a bulk user import, or you can configure Okta to regularly pull user profile data from a source of truth so your system always has the latest updates.
- Configuring rules and workflows: Require specific password rules, synchronize and import groups from external apps, and automatically deprovision users in Okta, AD, or LDAP.
- Reports: Generate reports and audit trails to determine where changes are required to ensure efficiency.
Scenarios
Okta provides several methods for handling provisioning in a cloud-based environment:
- AD integration provides a lightweight, on-premises Active Directory integration to synchronize with your AD configuration. You can set up real-time synchronization and Just-In-Time provisioning so that you always have the latest user profiles and don't have to wait for scheduled imports.
- LDAP integration provides integration with several popular LDAP vendors using a lightweight agent. The LDAP integration provides real-time synchronization and JIT provisioning, similar to the AD agent.
- HR-driven IT provides automated provisioning from external HR apps (for example, Workday, SuccessFactors, UltiPro, BambooHR, and Namely). This type of provisioning is useful for companies that want to use their HR systems as a source of truth for their users. Active Directory becomes a downstream provisioning target. This feature provides ongoing profile synchronization and ensures efficient on-boarding.
Deprovisioning
Deprovisioning increases your org's security profile by removing access to sensitive apps and content from people who leave your organization. Deprovisioning a user automatically removes them from any assigned app integration to which they were provisioned. Aside from the security aspect, deprovisioning is also important for compliance reasons and helps you to maintain an accurate usage count for your external apps.
You can deprovision a user directly from within Okta or through AD.
For app integrations that support the functionality, user access is automatically removed when the user account is deprovisioned. For app integrations that require manual deprovisioning of users, Okta admins receive a notification for any users that require manual deprovision users.
Orgs usually have policies that keep deprovisioned user accounts available for a set period of time. This is useful if the account needs to be restored, or if information needs to be retrieved from a deprovisioned account.
When an assignment is removed (deprovisioned) from a user in Okta, Okta doesn't delete the user's account. The account is put into a deactivated state in the external app, and the user's access to the app integration is removed from Okta. Some external apps may support deleting the user's account in the external app.
Permissions
A super admin and an app admin can assign users to app integrations.
You can use Okta groups to provision app integrations to groups of users, in addition to assigning them to individual users.
The Okta administrator configuring the app integration needs App Admin permissions to authorize the API provisioning that connects the external app with Okta.