Provisioning Policy Attributes
This section lists the policy attributes for IdentityIQ for Okta.
Note
Attributes marked with an asterisk (*) are mandatory.
Note
Okta does not support update operation for de-provisioned user.
Create Account Policy
Following are the various attributes in the create account policy.
FirstName*
First name of the user
LastName*
Last name of the user
Email*
Primary address of the user
Login*
Must be an email
Activate
Enable to set the status as provisioned
Disable to set status as staged
Password
Login password for the user
Provider Type
Credential provider type
The default allowed values are as follows:
-
FEDERATION -
SOCIAL -
OKTA
Provider Name
Credential provider name
setPasswordInPermanentMode
(Optional) When creating an account, set the password in Permanent mode as follows:
-
true– The Account is created inActivemode -
false– The account is created inPASSWORD_EXPIREDmode
By default, the user is created with their password in PASSWORD_EXPIRED mode.
recoveryQuestion
(Optional) Set a recovery question for user
recoveryAnswer
(Optional) An answer to the recovery question
type_name
(Optional) Name of the user type
The type_name attribute is case-sensitive and it is referred to as the "variable name" user type in Okta.
To provision custom attributes, add a matching attribute into the provisioning policy.
For example, if you have the custom attributes customAttr1 and customAttr2 in the Okta application and you need to provision them, you need to add customAttr1 and customAttr2 to the provisioning plan as well.
Following table describes the status of created account according to different parameters provided in create account policy above.
|
Activate Checkbox |
Password |
Recovery Question |
Provider Type |
Okta Status |
IdentityIQ |
|
Unchecked |
Provided/Not Provided |
Empty |
Empty |
STAGED |
Disabled |
|
Checked |
Not Provided |
Empty |
Empty |
PROVISIONED |
Enabled |
|
Checked |
Provided |
Empty |
Empty |
PASSWORD_RESET |
Enabled |
|
Unchecked |
Not Provided |
Empty |
FEDERATION/ |
STAGED |
Disabled |
|
Checked |
Not Provided |
Empty |
FEDERATION/ |
ACTIVE |
Enabled |
|
Unchecked |
Provided/Not Provided |
Provided |
Empty |
STAGED |
Disabled |
|
Checked |
Not provided |
Provided |
Empty |
PROVISIONED |
Enabled |
|
Checked |
Provided |
Provided |
Empty |
ACTIVE |
Enabled |
Note
While creating an account:
-
Users with a FEDERATION/SOCIAL authentication provider do not support a password credential and must authenticate through a trusted Identity Provider.
-
If Provider Name is not configured or an invalid value is provided, then the provider type and name is set to
OKTA.
Enable/Delete Account Provisioning Policy
sendEmail
While enabling a de-provisioned user, the connector does not send an activation email to the user if sendEmail is false.
Default value – true
Disable Account Policy
Status*
Suspend – Temporarily disables the account
Deprovision – Delete all the applications and deactivate the account
sendEmail
True/False – While disabling an user (status: deprovision), the connector sends a deactivation email to the administrator if sendEmail is true.
Default value – false
For more information on the various mapped status of Okta and IdentityIQ, refer to Account Status Mapping.
Create Group Policy
Group Name*
Name of the group
Group Description
Description of the group