Okta

Configuring Provisioning for SuccessFactors Employee Central

This guide provides the steps required to configure Provisioning for SuccessFactors Employee Central as a Master

Note:

This integration is not intended to provision users to SuccessFactors; roles and permissions cannot be set via Okta.


Contents


Overview

Okta integrates with SuccessFactors Employee Central, an integrated suite of human capital management web-based applications, to provide a comprehensive identity and access management solution. Okta automates provisioning in all leading cloud and web applications. With SuccessFactors-driven IT provisioning, Okta can drive the worker life cycle of new-hire, update, termination, and rehire to downstream applications from events that originate in SuccessFactors Employee Central.

Okta can import users from SuccessFactors Employee Central through its EC Compound Employee API. Okta supports two typical scenarios:

Both are described below:

Import from SuccessFactors Employee Central

In this scenario, Okta simply imports users from Successfactors EC like any other application. Imported users are used to create Okta users. However, once the SuccessFactors EC users are imported into Okta, they are no longer managed by SuccessFactors EC. Any updates to the user made in SuccessFactors EC will not change the associated Okta user.

SuccessFactors (EC)-driven IT Provisioning

In this scenario, Okta integrates with SuccessFactors EC to drive IT provisioning. When the SuccessFactors EC user is imported into Okta, they continue to be managed by SuccessFactors EC. Updates and terminations made in SuccessFactors EC are reflected in Okta and downstream apps. This arrangement enables SuccessFactors EC to manage employee and contractor access to apps. SuccessFactors EC-driven IT provisioning is a superset of the functionality provided in Import from SuccessFactors EC, so the rest of this deployment guide focuses on configuring SuccessFactors EC-driven IT provisioning, but will be relevant to Import from SuccessFactors EC scenarios as well.

Note: SuccessFactors EC-Driven IT provisioning requires the Enterprise or Enterprise Plus versions of Okta to enable SuccessFactors EC as a Profile Master and for flexible attribute mappings.

With Successfactors EC-driven IT provisioning, Okta supports the following worker lifecycle events:


Features

The following provisioning features are supported:


Requirements

  1. Contact SuccssFactors or the implementation partner to get the SuccessFactors SF API enabled for your tenant. They will need to log in to the Provisioning Access Console > Select your company > Company Settings > Under Web Services, and check the following fields:

    • SFAPI

    • Employee Central SOAP API

      Other items are checked by default

    “sucessfactors-new1.png”

  2. Login to your Successfactors tenant as a System Administration, navigate to Manage Permission Roles and create a new role or ensure that some role has following permissions:

    • Administrator Permissions > Manage Integration Tools > Select All:

      “sucessfactors-new2.png”

    • Administrator Permissions > Employee Central API > Select All:

      “sucessfactors-new3.png”

    • Ensure that user that is used for this integration has this role assigned.

  3. In Okta, add the SuccessFactors application, then select the General Settings tab, and be sure to set the Company ID parameter.

    The value for this can be obtained from your login URL: https://acme.successfactors.com/login?company=ACME123456789.

    “sucessfactors-new4.png”


  4. Configuration Steps

    Configure your Provisioning settings for SuccessFactors as follows:

    1. Check the Enable API Integration box.

    2. Enter the following API CREDENTIALS:

      • Base URL for Web Service: This is your API base URL. Pay attention as it differs from your login URL. List of API URLs can be found here.

      • Admin Username: Enter a username for admin account.

      • Admin Password: Enter a password for the for admin username (above).

      • Pre-Start Interval: Enter the number of days before the start date an employee should be considered active.

      • Post-Termination Interval: Enter the number of days after user termination an employee should be considered active.

      • Import Contingent Workers: Check this if you want to import contingent workers along with full time employees.

      successfactorsprovisioning1.png

    3. Select To App in the left panel, then select the Provisioning Features you want to enable, then click Save.

      Note: In order to turn on Update User Attributes feature along with Profile Mastering, for write-back functionality, contact Okta support to get the following Feature Flags enabled for your Okta org:

      • ALLOW_BOTH_PROFILE_MASTERING_AND_PUSH

      • ATTRIBUTE_LEVEL_MASTERING

    4. successfactorsprovisioning2.png

    5. Select To Okta in the left panel, enable Profile Master and setup import rules:

      successfactorsprovisioning_3.png

    6. Note that the default Okta username format is email-formatted, while SuccessFactors doesn't have any specific requirement for the username format. Therefore the default username mapping from SuccessFactors to Okta is the following:

      appuser.person___logon_user_name + "@" + org.subdomain + ".com"


    Notes

    Multiple Job Assignments

    In case you have multiple job assignments for employees in your SuccessFactors account (either with Global Assignment or with Concurrent Assignment), they will be treated the following way in Okta:

    User Statuses

    A user's status is derived from the Job Information entity in Employee Central.

    If a user's job_information.emplStatus == "A", the user is treated as active in Okta.

    In case a user's status is not active in the Job Information entity, Okta makes a second check on the user's job_information.start_date).

    If the user's start date falls in the preHire Interval period, the user will be treated as active pre-hired user in Okta. Note: Okta selects the most early value among all job_information records per user, and performs the following check: "now > startDate > now + preHireInterval" — if the condition is true, the user is treated as active.

    If a user isn't active and did not pass the pre-hire verification he/she will be tested against post-termination verification. Okta selects the most recent job_information.end_date value and verifies it against "now - postTerminationInterval > endDate > now".

    If user does not pass any of verifications above, then the user is treated as an inactive under and will not be imported into Okta.

    Phone and Emails

    For both phone and email, Okta maps the one which is marked as "isPrimary = true" to the Okta user profile. If write-back functionality is enabled, Okta will write back to the phone and email type set as Primary.

    Push Email Updates to SuccessFactors

    Due to API limitations Okta can update email address only for those users who have configured email marked as primary and has an active email type (usually "Business" type).

    Contractor to Full Time Employee Conversion

    Contractor to full time employee conversion is treated as a termination of the contingent worker, and a new hire of a full time employee in SuccessFactors.

    When the contingent worker is terminated in SuccessFactors, the user is de-activated in Okta upon next sync (unless post termination is enabled). Once the user is added as a full time employee in SuccessFactors, this user will be imported into Okta, and the import matching rules will match your newly created SuccessFactors full time employee to the existing de-activated Okta user. However, you will have to manually re-activate the user. Automated re-activation via import matching rules is not supported at this time.


    Supported Entities and Attributes

    The following table contains a list of supported entities and attributes within those entities.

    Note:Attributes marked RED are blacklisted. Okta does not query or save any information related to these attributes.

    Person Personal Information Address Information Email Information Employment Information Phone Information Job Information
    birth_name
    country_of_birth
    date_of_birth
    date_of_death
    logon_user_id
    logon_user_is_active
    logon_user_name
    person_id
    person_id_external
    place_of_birth
    region_of_birth
    Custom_string1 - 20
    Custom_date1 - 10
    Custom_long1 - 20
    Custom_double1 - 20
    birth_name
    display_name
    display_name_alt1
    display_name_alt2
    end_date
    first_name
    first_name_alt1
    formal_name
    formal_name_alt1
    formal_name_alt2
    gender
    initials
    last_name
    last_name_alt1
    marital_status
    middle_name
    name_format
    name_prefix
    nationality
    native_preferred_lang
    salutation
    second_title
    start_date
    suffix
    title
    workflow_request_id
    Custom_string1 - 20
    Custom_date1 - 10
    Custom_long1 - 20
    address_type
    address1 – 10
    address1_alt1
    address1_alt2
    address2_alt1
    address2_alt2
    address3_alt1
    address3_alt2
    city
    country
    county
    end_date
    province
    start_date
    state
    zip_code
    Custom_string1 - 20
    Custom_date1 - 10
    Custom_long1 - 20
    Custom_double1 - 20
    email_address
    Custom_string1 - 20
    Custom_date1 - 10
    Custom_long1 - 20
    Custom_double1 - 20
    assignment_class
    assignment_type
    benefits_eligibility_start_date
    benefitsEndDate
    bonusPayExpirationDate
    direct_reports
    employment_id
    end_date
    firstDateWorked
    globalAssignmentPlannedEndDate
    is_host_assignment
    isPrimary
    jobNumber
    last_modified_by
    last_modified_on
    lastDateWorked
    originalStartDate
    payrollEndDate
    professionalServiceDate
    salary_end_date
    seniorityDate
    serviceDate
    start_date
    StockEndDate
    user_id
    Custom_string1 - 100
    Custom_date1 - 30
    Custom_long1 - 20
    Custom_double1 - 20
    area_code
    country_code
    extension
    phone_number
    phone_type
    Custom_string1 - 20
    Custom_date1 - 10
    Custom_long1 - 20
    Custom_double1 - 20
    acquired_from_ company
    business_unit
    company
    company_territory_code
    cost_center
    created_by
    created_on_timestamp
    department
    division
    eeo_class
    eeo_job_group
    eeo1_job_category
    eeo4_job_category
    eeo5_job_category
    eeo6_job_category
    employee_class
    employee_type
    employment_type
    emplStatus
    end_date
    event
    event_reason
    flsa_status
    fte
    holiday_calendar_code
    is_cross_border_worker
    is_eligible_for_benefit
    is_eligible_for_car
    is_fulltime_employee
    is_home_worker
    is_primary
    is_shift_employee
    job_code
    job_title
    local_job_title
    location
    manager_category
    manager_employment_id
    manager_id
    manager_person_id
    notes
    pay_grade
    pay_group
    payroll_event
    payScaleArea
    payScaleType
    position
    regular_temp
    seq_number
    shift_code
    shift_factor
    shift_rate
    standard_hours
    start_date
    supervisor_level
    time_type_profile_code
    timezone
    work_period
    workflow_request_id
    workingDaysPerWeek
    workschedule_code
    Custom_string1 - 100
    Custom_date1 - 30
    Custom_long1 - 20
    Custom_double1 - 20