Provisioning Policy
When SailPoint provisions new accounts to an Okta direct connect source, it uses the attributes on the Create Profile page as instructions or a template for what to include in the account. This page is also referred to as the provisioning policy.
Important
This page describes the configuration of the default Create Profile. However, SailPoint recommends that you work with Services to define a Create Profile specific to your company's needs.
The following generators create required information for a new Okta account. You might need to edit the contents.
|
Account Attribute |
Generator |
Description |
|---|---|---|
|
login |
Identity Attribute |
Unique ID (username) used as login |
|
|
Identity Attribute |
Primary Email of the user |
|
firstName |
Identity Attribute |
First name of the user |
|
lastName |
Identity Attribute |
Last name of the user |
|
activate |
Static Value |
Checked to set the status as provisioned, unchecked to set status as staged |
|
password |
Generator |
Login password for the user |
|
middleName |
Disable |
Middle name(s) of the user |
|
secondEmail |
Disable |
Secondary email address of the user that is used for account recovery |
|
displayName |
Disable |
The display name that can be used for the user |
|
title |
Disable |
User’s title. For example: "Sr. General Manager" |
|
honorificPrefix |
Disable |
Honorific prefix(es) of the user. For example: "Dr., Mrs., Mr." |
|
honorificSuffix |
Disable |
Honorific suffix(es) of the user. For example: "MD, PhD, MSCSW" |
|
profileUrl |
Disable |
URL of the user’s Online profile |
|
primaryPhone |
Disable |
Primary phone number of the user |
|
mobilePhone |
Disable |
Mobile phone number of user |
|
streetAddress |
Disable |
Street address component of the user’s address |
|
city |
Disable |
City or locality component of the user’s address |
|
state |
Disable |
State or region component of the user’s address |
|
zipCode |
Disable |
ZIP code or postal code component of the user’s address |
|
countryCode |
Disable |
Country name component of the user’s address |
|
postalAddress |
Disable |
Mailing address component of the user’s address |
|
preferredLanguage |
Disable |
The user’s preferred written or spoken language |
|
locale |
Disable |
The user’s default location for the purpose of localizing items such as currency, date/time format, numerical representations, etc. |
|
timezone |
Disable |
The user's time zone |
|
userType |
Disable |
Used to identify the type of the user, such as "Employee" or "Contractor" |
|
employeeNumber |
Disable |
Unique identifier for the user assigned by the organization or company |
|
costCenter |
Disable |
Cost center assigned to the user |
|
organization |
Disable |
The user's organization |
|
division |
Disable |
The user's division |
|
department |
Disable |
The user's department |
|
manager |
Disable |
The name of the user's manager |
|
managerId |
Disable |
ID of the user’s manager |
|
providerName |
Disable |
The name of the credential provider |
|
providerType |
Disable |
The type of the credential provider |
Note
Custom attributes of the User profile from Okta can be populated using the Discover Schema functionality.
The Okta Source supports the Credential Provider User (for example, Federation/Social Provider user) in the Okta managed system. Users with a FEDERATION or SOCIAL authentication provider do not support a password credential and must be authenticated using a trusted Identity Provider. While creating an Okta user, if the providerName attribute is not configured or an invalid value is provided, both the provider type and name are set as OKTA.
Account Status
To verify the status of the created user, refer to the following table.
|
Activate Checkbox |
Password |
Provider Type |
Status on the Okta Managed System |
Status on Identity Security Cloud Source |
|---|---|---|---|---|
|
Unchecked |
Provided/Not Provided |
Empty |
STAGED |
Disabled |
|
Checked |
Not Provided |
Empty |
Pending user action |
Enabled |
|
Checked |
Provided |
Empty |
PASSWORD_EXPIRED |
Enabled |
|
Unchecked |
Not Provided |
FEDERATION/SOCIAL |
STAGED |
Disabled |
|
Checked |
Not Provided |
FEDERATION/SOCIAL |
ACTIVE |
Enabled |
Assignment of User Type While Creating a User
The Okta Source now supports assignment of a user type while creating a user in the Okta managed system.
Also, the source supports aggregation of the type of the user with type_name and type_displayName attributes that define the name and display name of the assigned user type, respectively.
You must manually add the type_name and type_displayName attributes to the account schema. Refer to this document: Adding Attributes to a Source Schema.
In the Create Profile section of the Okta source UI, set up the following attribute.
|
Account Attribute |
Generator |
Description |
|---|---|---|
|
type_name |
Disable |
The name of the Okta user type. This |