This guide provides the steps required to configure Provisioning for BambooHR.
This integration cannot create new users in BambooHR. Assigning an Okta user to BambooHR with Provisioning enabled will result in an error. Instead, import existing users from BambooHR first to avoid this error.
Attributes with special characters will be represented with their Unicode values in Okta. For example: if you attribute is ShirtSize# it will be displayed as ShirtSize_U+0023.
We support provisioning using non-employee User credentials.
We don't support import of non-employee users.
We don't support management of non-employee users.
This integration can be used with European accounts in the same manner as US accounts, no additional action is required.
IMPORTANT: OpenID Connect (OIDC) Authentication Support
We are migrating this integration to an OpenID Connect (OIDC) authentication method. This means you will no longer need to provide a BambooHR API Key to Okta manually to enable provisioning features (as described below). Instead, you will see an Authenticate with BambooHR button that asks you to login to BambooHR as an Admin so that Okta can obtain the API Key automatically.
To change authentication method to OIDC:
This functionality is currently only available in Okta Preview orgs.
Once we release this functionality to all orgs, we will update this document accordingly.
The following provisioning features are supported:
Import New Users
Import Profile Updates
Import User Schema
Push Profile Updates
Before you start configuring provisioning for BambooHR, you need to obtain a Bamboo API Key:
Login to BambooHR as an administrator.
Note: Bamboo recommends using a service account to generate the API Key, as opposed to using an individual administrator's credentials.
Select Account Settings in the upper right corner, then select API Keys.
Select Add a new key, or use an existing one if you have one, see the list of My API Keys.
Make a copy of the Key to enter in Okta later in this procedure.
Verify the BambooHR app’s General Settings:
Select the General Settings tab.
Verify that the Subdomain is your BambooHR subdomain. For example, enter company for http://company.bamboohr.com/.
Configure your Sign-On Options on the next tab, then click Next to take you back to the Provisioning tab.
You are now ready to configure your Provisioning Settings as follows:
Click the Enable API Integration box.
API Key: Enter the key you copied from BambooHR (step 1) into this field.
Parameter to Use for Groups: You can select any of the following parameters:
Important: Once you have saved your Provisioning settings, you can not change your Parameter to Use for Groups selection.
Important: You must have the same value checked in Bamboo settings > Company Directory under Select employee info to display, as shown below.
Pre-Start Interval: Enter the interval in days, so that users with Hire Date ahead of current date and within this interval could be considered active and imported to Okta. For example, if you enter 7, the users with a Hire Date later than one week ahead of current date will not be imported.
Note: You cannot enable both of these at the same time, select only one. The ability to have BambooHR be the Profile Master while also having certain attributes (for example, email, phone #) mastered by a different source and updated back into BambooHR is not currently supported.
You can now finish the application setup.
BambooHR supports User's Schema Discovery, so you can add some extra attributes to User's Profile, to do that, follow the instructions below:
In Okta, from the Admin dashboard, select Directory > Profile Editor.
Select the APPS section in the left navigation bar, then find your app in the list.
Check the list of attributes, and if you decide you need more, click Add Attribute. A list of extended attributes will appear:
Select the attributes you want to add, then click Save.
You can now import and push these user attribute values to/from BambooHR