Configuring Provisioning for Org2Org

This guide provides the steps required to configure Provisioning for Org2Org, and includes the following topics:



This setup assumes that you are adding this Org2Org provisioning application to your Okta source (Spoke) organization.


Before you start configuring provisioning for Okta Org2Org, you need to do the following:

  1. Obtain your API Token (Hub Organization):

    Important: The API token must be created by a Super admin. Tokens created by other admin roles will result in provisioning errors/failures.

    • Log in to the Okta Hub Organisation as an administrator:

    • Navigate to Security > API:


    • Click the Create Token button, then enter your token name in the dialog, then click Create Token:


    • Make a copy of your newly generated token:


  2. Verify the Okta Org2Org app’s General Settings in Okta Spoke organization:

    • Make sure that you have the correct base URL to your Hub Org in Okta (for example: https://my-org.okta.com).

Configuration Steps

Configure your Provisioning settings for Okta Org2Org app in Spoke org as follows:

  1. Check the Enable API Integration box.

  2. Enter your API Endpoint and API Key.

  3. Click Test API Credentials:


  4. If your credentials are valid, you’ll see a message saying that your credentials were successfully verified.

  5. Select To App in the left panel, then select the Provisioning Features you want to enable:


  6. Click Save.

  7. You can now assign people to the app (if needed) and finish the application setup.

User Assignment

To assign users to the Okta Org2Org app:

  1. To assign users, navigate to the Assignments tab of your Org2Org app, then select Assign > Assign to People:


  2. In the Assign Okta Org2Org to People dialog, select a user, then click Assign button:


  3. You can set Security Question/Answer and select the Initial Status for the provisioned user:


  4. After clicking Save, this user will be provisioned to Hub organization with the selected initial status and security question/answer.

What is the "Initial status" user attribute?

Push Groups

Groups that exist in Okta can be configured to push to the target Okta org. Users that are part of the pushed group will show up in the target group if they also exist in the target. Best practice is to push new groups to target Okta organization and not to try to push the existing groups.

To push new groups to the Hub org, follow these steps:

  1. Select the Push Groups tab, then and select the green Push Groups dropdown:


  2. Type your group name in the search field, then click on your group. Then click the Add Group button:


  3. If everything is successful, you'll see your group with an Active status, and it will also be pushed to your Hub org:


Profile Sourcing

In addition to the traditional usage, the Okta Org2Org application can be used as a Profile Source.

This means that your Hub org becomes a source of your users. By importing those (Hub) users into your Spoke org, you will be able to update Spoke users’ properties, and those changes will be applied to other apps, to whom those users are assigned (for example, Google Apps, O365 etc.).

To enable Profile Sourcing, perform the following steps:

  1. Go to the Provisioning tab, then click To Okta.

  2. Deselect all Provisioning Features that are enabled, then enable Profile Sourcing.

  3. Click Save.