Profile sourcing

A profile source is an app that acts as the source of truth for user identities. After it's enabled in the To Okta section of the Provisioning tab of the app or directory, it appears in the profile source list on the Profile Sources page. If an external profile source isn't identified, Okta is the source for all profiles.

If more than one profile source is listed, you can prioritize them to source user profile attributes from different systems, based on their assignments. At any given time, there can only be one profile source for a user's profile.

Profile sources are powerful tools that can help you manage a user's entire life cycle (creation, updates, and deactivation). For example, use Workday as a profile source to send user creation, updates, and termination events from Workday to Okta.

Here are some of the apps and directories that allow profile sourcing:

  • Active Directory
  • BambooHR
  • G Suite
  • LDAP
  • NetSuite
  • Namely (built by ISV)
  • Salesforce
  • SuccessFactors
  • UltiPro
  • Workday

Enable Profile Source and Update User Attributes

Enabling Profile Source and Update User Attributes for the same app lets you push Okta to App profile mappings to the highest priority profile source. This is beneficial when you want to sync attributes from downstream apps back to the profile source. However, you may lose data if an app that's designated as a profile source can also receive profile updates from Okta.

Before you enable Profile Source and Update User Attributes for the same app, consider the following:

  • Unwanted profile pushes: Okta updates can overwrite the values of unmapped attributes in an app, even if that app is the highest priority profile source. For example, if the cn attribute isn't mapped from Active Directory to Okta, and you've configured Active Directory for Profile Source and Update User Attributes, then Okta applies the default mapping to cn.
  • Overwritten IdP-sourced attributes: Okta to app updates can overwrite attributes that are sourced by another identity source. There's no partial push option.
  • Race conditions: Okta can overwrite an updated attribute in an identity source before other updates are pushed back to - Okta. For example, consider a scenario in which a user's first name and last name are imported into Okta from a directory, but the user's email address is imported into Okta from an app. If the user's last name changes in the directory before the applicable email address update is made in the app, - Okta could push the new name and the old email address.

Rules for incoming imports

Using a profile source requires a clear distinction between new imported users and updates to current Okta users. Okta uses matching rules to maintain a link between the profile source and Okta to prevent conflicts. See Match imported user attributes.

Profile sourcing and the user life cycle

The flow of a user's identity throughout the different cycles of access (creation, update, and removal of access to resources) is known as a user's life cycle. A profile sourcer can determine the beginning or end of this cycle, and is enabled within the provisioning and import space.

A Super Admin can't be deactivated through an import operation.

See Provisioning and Deprovisioning.