Configure provisioning for Cornerstone OnDemand

This guide provides the steps required to configure provisioning for Cornerstone OnDemand. It assumes that you've created a Cornerstone OnDemand app instance in your Okta org.



The following provisioning features are supported:


Before you can enable Provisioning Features, you will need the following:

Register an app in Cornerstone OnDemand

  1. Sign in to your Cornerstone account.
  2. Go to Admin > Tools > EDGE & API Management > Manage OAuth 2.0 Applications.
  3. Click + Register New Application.
  4. Enter your Application Name (for example, OktaCornerStoneIntegration).
  5. Enter a Cornerstone User ID as the User ID. Often this is the admin's User ID.
  6. Optional. Set the Access Token Validity Period.
  7. Search for and select the following API scopes:
    • employee.create
    • employee.read
    • employee.updatefull
    • employee.updatepartial
    • ou.read
    • outype.read
  8. Click Register Application.
  9. Copy your client secret. You enter this value when you set up provisioning for Cornerstone OnDemand in Okta.
  10. Click Continue.
  11. Copy the Client ID for your app. You enter this value when you set up provisioning for Cornerstone OnDemand in Okta.

Configuration steps

Do the following after creating your Cornerstone OnDemand app integration in Okta:

  1. In the Admin Console, go to Applications > Applications.
  2. Open your Cornerstone OnDemand app instance.
  3. Go to the Provisioning tab and click Configure API Integration.
  4. Select Enable API integration.
  5. Enter your OAuth Client Id and OAuth Client Secret that you copied from Cornerstone when registering your app.
  6. Optional. Validate your credentials by clicking Test API Credentials. If your credentials are valid, you’ll see a message saying that your credentials were successfully verified.
  7. Click Save.
  8. Select the provisioning options to enable and then click Save.

Cornerstone External ID

Cornerstone External ID is a required field in Cornerstone.

If you don't add this attribute to your Cornerstone OnDemand App User profile, it's automatically set to the Okta username.

If you choose to add the attribute to your Cornerstone OnDemand App User profile, then you must perform the following steps:

  1. Go to the Provisioning tab and click Go to Profile Editor.
  2. Click Mappings.
  3. Switch to the Okta User to Cornerstone OnDemand tab.
  4. Enter a mapping for cornerstoneExternalId
  5. Click Save Mappings.

Group and user assignment

  1. Go to the Assignments tab.
  2. Choose to Assign to People or Assign to Groups from the Assign dropdown menu.
  3. Locate the user or group to assign Cornerstone OnDemand to, and click Assign.
  4. Choose a Division from the dropdown list.
  5. Click Save and Go Back.

Schema discovery

This feature allows you to extend the Cornerstone OnDemand App User profile with additional attributes using the Profile Editor and then sync them with Cornerstone OnDemand.

The following extended attributes are supported:

Note: Okta usernames must be used when assigning values to the Approver and Manager attributes.

Note: Adding any of the following attributes to your Cornerstone OnDemand App User profile requires you to perform a few steps to sync values between the app and Okta:

Perform the following steps to retrieve the values for any of the attributes in the preceding list:

  1. Go to the Provisioning tab and click Integration.
  2. Click Edit.
  3. Click Save.
  4. The attribute values are now available when assigning groups and users to Cornerstone OnDemand.