Add provisioned users

When you add a user in Okta, you're creating a user account for them. This account is a user profile in the Okta Universal Directory. Universal Directory is the user store for all Okta users.

User accounts can exist in external apps. During provisioning, if an existing user account in an external app matches an Okta user account, then the Okta account and the external app account can be matched and linked.

How user data is added to Okta determines the method used to manage users. Three methods are available to create user profiles:

Manually create user profiles

Users that are manually created in Okta use the Okta Universal Directory as the single source of truth for these users.

When provisioning is configured in an Okta app integration, Okta pushes user information down to the external app, which results in the creation of a user account within that external app.

Later, if user account information is updated in Okta, then this information is pushed out to the external app where the user account is updated.

For example, if you integrate with Salesforce for provisioning, users created in Okta are pushed to the Salesforce app, but are managed in Okta. Updates and terminations made in Okta are automatically reflected in Salesforce (or any other external apps that are part of your provisioning flow). These downstream connections have a single source of truth, so there's no issue with conflicting user profile information from multiple upstream profiles.

Import user profiles from a directory service or app

User data can be imported into Okta from:

Use one of the following integration strategies to import user data:

  • AD or LDAP integration

    Use the Okta Active Directory (AD) agent or the Okta LDAP Agent to synchronize user data between Okta and your directory instance. You can set up real-time synchronization and Just-in-Time (JIT) provisioning to keep the user profiles current without needing to wait for a scheduled import.

  • App integration

    Integration with external apps such as Salesforce or Workday is useful when you want to make that external app the single source of truth for user data. AD becomes a downstream provisioning target. This feature provides ongoing profile synchronization and ensures efficient on-boarding.

  • JIT provisioning

    User accounts are automatically created in Okta the first time that a user authenticates with AD Delegated Authentication, Desktop SSO, or inbound SAML.

Users created in a directory service or external app are pushed to Okta and new AppUser objects are created to match against existing Okta user accounts, or to creates new Okta user accounts.

You can use the Import User Schema feature, or Schema Discovery, to import more user attributes from apps such as Salesforce.

Profile Sourcing

Profile Sourcing is a more sophisticated process for importing user data and makes an external app or a directory the source of truth for user attribute information and their lifecycle state. When a user profile is sourced from an external app or directory, the Okta user profile's attributes and lifecycle state are derived exclusively from that resource. An Okta user that's sourced from an external app or directory has an Okta profile, but that profile can't be edited in Okta. If the user profile in the external app or directory is disabled, the linked Okta user profile moves to the Deactivated lifecycle state on the next import.

Import users from a CSV file

User information is imported from a CSV file and managed in Okta. Any user profile changes are pushed to external apps.

As with any other Okta user profile, any lifecycle changes trigger the automated provisioning functions that update the user's lifecycle state. These changes include events like a position change, app license expiration, or employment termination.

Related topics

Add users manually

Add and update users with Just-In-Time provisioning

Import users

Manage profile and attribute sourcing