Use Anything-as-a-Source

Limited EA: This is a Limited Early Access (LEA) feature, and it is available to a limited audience. To enable it, contact your Customer Success Manager (CSM) or Okta Support.

Anything-as-a-Source (XaaS) allows you to integrate any source of truth with Okta, and realize the benefits of HR-driven provisioning from any source of truth. XaaS gives customers the flexibility to define the terms of synchronization between Okta and the source of truth. Alternatively, some identities don't require representation in Okta, and XaaS can filter out irrelevant data, syncing only the appropriate identities.


Before setting up Anything-as-a-Source, you need:

  • Access to Okta profile sourcing capabilities.

  • A source of truth from which you can extract data with the public API, report, file export, or some other mechanism.

  • An API client to make API calls associated with the Anything-as-a-Source feature. This could be an automation platform (such as Okta Workflows) or your own custom-hosted code.

  • An active API token that can call Okta APIs.

  • Access to the Okta Workflows platform if you are using Okta Workflows.

Build an Anything-as-a-Source Integration

Building an Anything-as-a-Source integration involves the following steps:

  1. Create and configure a Custom Identity Source.

  2. Synchronize data using a Custom Identity Source.

Create and configure a Custom Identity Source

Before synchronizing data from your source of truth, you must first create an integration in your Okta org by following these steps:

  1. In the Admin Console, go to ApplicationsApplications.

  2. Click Browse App Catalog to find the new integration you want to add for your source of truth.

  3. Go to the Private Apps section on the left-hand navigation bar and select this filter.

  4. Select Custom Identity Source and click Create New App.

  5. Optional. Specify a name and custom logo for your new integration.

  6. After you've added this integration to your organization, go to the new integration’s page and click the Provisioning tab.

  7. On the Integration menu, select the Enable API Integration checkbox.

  8. Go to the To Okta menu on this page.

    “To App” provisioning isn't supported for this integration type and these settings are ignored.

  9. Configure the integration. For example:

  • Configure whether new users should be confirmed manually or automatically by Okta

  • Configure how Okta will determine if a new user is a match to an existing user and whether this should be confirmed manually or automatically

  • Specify if this integration serves as a profile source in Okta

You can find the identity source ID (referred to as ${identitySourceId}) in the URL for the instance. This ID is needed to configure the source, and is located in the URL as highlighted here:

Declare an identity source schema

Next, specify the data that is sent to Okta from your source by adding new attributes to the schema associated with your new custom identity source integration.

  1. In the Admin Console, go to DirectoryProfile Editor.

  2. Find your custom identity source among the integrations listed and click Profile.

  3. For each attribute that should be synchronized to Okta (for example, for inclusion in the Okta profile or use in a profile mapping), do the following steps:

    1. Click Add Attribute.

    2. Select the data type of the attribute (for example, enum or string).

    3. Enter a display name, variable name, and (optionally) a description for the new attribute. Okta Expression Language is accepted.

    4. Specify any other relevant constraints, such as whether or not the attribute is required, the range, or length constraints.

    5. If you have more attributes to add, click Save and Add Another. When you’ve added the final attribute, click Save.

    6. Click the Mappings tab on the Profile Editor screen and select Configure User Mappings.

  4. Create mappings from the custom identity source (appuser) attributes on the left to the Okta user on the right.

If a desired attribute hasn't been added to the Okta user profile yet, see Add custom attributes to apps, directories, and identity providers

Synchronize data with a Custom Identity Source

Now that you've added an identity source integration to your Okta organization, you are ready to synchronize data from your source of truth to Okta. This section describes how to use XaaS APIs to perform this synchronization after data has already been extracted from the source.

Deleting a user that has already been matched using API calls deactivates the user in Okta's Universal Directory. If the user has not already been matched, the user will not appear in Okta's Universal Directory

API Token Creation

First, create an API token by following the steps outlined on Okta Developer. You can also copy this token for use in your API client. If Okta Workflows is being used as the API client, this step isn't required, as the Okta connector has access to an authorized API token.

Build a XaaS custom client

For detailed information on how to build a XaaS custom client, see the guide on Okta Developer.

Okta Workflows

Any XaaS API can be called in Okta Workflows using the Okta connector and the Custom API Action card (see Custom API Action (CAPIA) cards). Additionally, Okta Workflows API Connector (and other connectors) can be used to call any other public HTTP endpoint. For example, this connector could be used to retrieve data directly from a source of truth like an HR system.