Configuring Provisioning for BambooHR

This guide provides the steps required to configure Provisioning for BambooHR.


IMPORTANT: OpenID Connect (OIDC) Authentication Support

We are migrating this integration to an OpenID Connect (OIDC) authentication method. This means you will no longer need to provide a BambooHR API Key to Okta manually to enable provisioning features (as described below). Instead, you will see an Authenticate with BambooHR button that asks you to login to BambooHR as an Admin so that Okta can obtain the API Key automatically.

To change authentication method to OIDC:

  1. Navigate to Provisioning > API Integration > Edit.
  2. Click Authenticate with BambooHR:


This functionality is currently only available in Okta Preview orgs.

Once we release this functionality to all orgs, we will update this document accordingly.



The following provisioning features are supported:


Before you start configuring provisioning for BambooHR, you need to obtain a Bamboo API Key:

  1. Login to BambooHR as an administrator.

    Note: Bamboo recommends using a service account to generate the API Key, as opposed to using an individual administrator's credentials.

  2. Select Account Settings in the upper right corner, then select API Keys.


  3. Select Add a new key, or use an existing one if you have one, see the list of My API Keys.

  4. Make a copy of the Key to enter in Okta later in this procedure.


Configuration Steps

  1. Verify the BambooHR app’s General Settings:

    • Select the General Settings tab.

    • Verify that the Subdomain is your BambooHR subdomain. For example, enter company for http://company.bamboohr.com/.

    • Click Next.


    • Configure your Sign-On Options on the next tab, then click Next to take you back to the Provisioning tab.

  2. You are now ready to configure your Provisioning Settings as follows:

    • Click the Enable API Integration box.

    • API Key: Enter the key you copied from BambooHR (step 1) into this field.

    • Parameter to Use for Groups: You can select any of the following parameters:

      • Departments

      • Locations

      • Divisions

      Important: Once you have saved your Provisioning settings, you can not change your Parameter to Use for Groups selection.

      Important: You must have the same value checked in Bamboo settings > Company Directory under Select employee info to display, as shown below.


    • Pre-Start Interval: Enter the interval in days, so that users with Hire Date ahead of current date and within this interval could be considered active and imported to Okta. For example, if you enter 7, the users with a Hire Date later than one week ahead of current date will not be imported.

    • Timezone aware pre-hires: This enables users' Lifecycle Management based on their Timezone/Location. If it is disabled, Okta manages users' lifecycles according to UTC timezone.

    • Preferred timezone: This option allows admins to set the main location timezone the same as in the BambooHR instance (BambooHR Settings > General Settings > Timezone). This is available only when the Timezone aware pre-hires option is enabled.


  3. Either:

    • Select To App in the left panel and enable Update User Attributes.
    • bambooprovisioning3.png

    • Select To Okta in the left panel and enable Allow BambooHR to master Okta users in the Profile & Lifecycle Mastering section.
    • bambooprovisioning2.png

    Note: You can enable both of these at the same time. It requires the ALLOW_BOTH_PROFILE_MASTERING_AND_PUSH feature flag to be enabled. Contact Okta Support for assistance.

  4. Attribute level mastering:

    The ability to have BambooHR be the Profile Master while also having certain attributes (for example, email, phone #) mastered by a different source and updated back into BambooHR is now supported.

    To do this, follow the steps below:

    1. Configure BambooHR as a Profile Master (check previous step for details).

    2. Enable Update User Attributes provisioning Feature (requires an ALLOW_BOTH_PROFILE_MASTERING_AND_PUSH Feature flag to be enabled, contact Okta Support).

    3. Navigate to Directory > Profile Editor, find your BambooHR App, then and select Mappings:


    4. Verify that attributes you'd like to write back to BambooHR are mapped correctly:


    5. Go back to the Profile Editor and open the Okta user profile:


    6. For each attribute you'd like to write back, open the information panel:


    7. Select Override profile master:


    8. Select an appropriate source of truth (Active Directory in our example), then click Save Attribute:


  5. You can now finish the application setup.

Schema Discovery

BambooHR supports User's Schema Discovery, so you can add some extra attributes to User's Profile, to do that, follow the instructions below:

  1. In Okta, from the Admin dashboard, select Directory > Profile Editor.

  2. Select the APPS section in the left navigation bar, then find your app in the list.

  3. Check the list of attributes, and if you decide you need more, click Add Attribute. A list of extended attributes will appear:


  4. Select the attributes you want to add, then click Save.

  5. You can now import and push these user attribute values to/from BambooHR