This guide provides the steps required to configure Provisioning for Org2Org, and includes the following topics:
Import New Users
New users created in the third party application will be downloaded into Okta.
Import Profile Updates
Updates made to a users profile in the third party application will be downloaded and applies to the profile fields stored locally in Okta.
Import User Schema
User schema in the third party application will be downloaded into Okta.
Push New Users
New users created through OKTA will also be created in the third party application.
Push Password Updates
Updates made to the user's password through OKTA will be pushed to the third party application.
Push Profile Updates (Only updated attributes are pushed. By default, all null and empty values are ignored.)
Push User Deactivation
Deactivating the user or disabling the user's access to the application through OKTA will deactivate the user in the third party application.
Reactivate Users
Reactivating the user through Okta will reactivate the user in the 3rd party application.
Push Groups
Groups and their members can be pushed to remote systems. For more about using group push operations (including Group Push enhancements) see Using Group Push.
Profile Sourcing
AppUser profile for this App will overwrite the Okta user profile for Users.
This setup assumes that you are adding this Org2Org provisioning application to your Okta source (Spoke) organization.
Before you start configuring provisioning for Okta Org2Org, you need to do the following:
Obtain your API Token (Hub Organization):
Important: The API token must be created by a Super admin. Tokens created by other admin roles will result in provisioning errors/failures.
Log in to the Okta Hub Organisation as an administrator:
Navigate to Security > API:
Click the Create Token button, then enter your token name in the dialog, then click Create Token:
Make a copy of your newly generated token:
Verify the Okta Org2Org app’s General Settings in Okta Spoke organization:
Make sure that you have the correct base URL to your Hub Org in Okta (for example: https://my-org.okta.com).
Configure your Provisioning settings for Okta Org2Org app in Spoke org as follows:
Check the Enable API Integration box.
Enter your API Endpoint and API Key.
Click Test API Credentials:
If your credentials are valid, you’ll see a message saying that your credentials were successfully verified.
Select To App in the left panel, then select the Provisioning Features you want to enable:
Click Save.
You can now assign people to the app (if needed) and finish the application setup.
To assign users to the Okta Org2Org app:
To assign users, navigate to the Assignments tab of your Org2Org app, then select Assign > Assign to People:
In the Assign Okta Org2Org to People dialog, select a user, then click Assign button:
You can set Security Question/Answer and select the Initial Status for the provisioned user:
After clicking Save, this user will be provisioned to Hub organization with the selected initial status and security question/answer.
What is the "Initial status" user attribute?
Setting the Initial status user attribute is required when assigning an Okta user to the Org2Org app. This attribute determines the status of the user in the target org when they are created, linked, or reactivated.
If the initial status is set to Active with password or Pending with password, Okta will generate a temporary password for the user. If Okta Password Sync is enabled, this temporary password will be overwritten when the user signs in.
Groups that exist in Okta can be configured to push to the target Okta org. Users that are part of the pushed group will show up in the target group if they also exist in the target. Best practice is to push new groups to target Okta organization and not to try to push the existing groups.
To push new groups to the Hub org, follow these steps:
Select the Push Groups tab, then and select the green Push Groups dropdown:
Type your group name in the search field, then click on your group. Then click the Add Group button:
If everything is successful, you'll see your group with an Active status, and it will also be pushed to your Hub org:
In addition to the traditional usage, the Okta Org2Org application can be used as a Profile Source.
This means that your Hub org becomes a source of your users. By importing those (Hub) users into your Spoke org, you will be able to update Spoke users’ properties, and those changes will be applied to other apps, to whom those users are assigned (for example, Google Apps, O365 etc.).
To enable Profile Sourcing, perform the following steps:
Go to the Provisioning tab, then click To Okta.
Deselect all Provisioning Features that are enabled, then enable Profile Sourcing.
Click Save.