Configuring Provisioning for Workplace by Facebook

This guide provides the steps required to configure Provisioning for Workplace by Facebook



The following provisioning features are supported:


To enable Provisioning Features, you need to first get an OAuth Access Token from Facebook, as described here:

  1. Login to your Workplace by Facebook organization under an Admin Account.

  2. Navigate to Company Dashboard:


  3. Select the Integrations tab, then select the Custom Integrations section.

    • Click Create Custom Integration.

    • Click Create Access Token, then copy the Access Token from the pop-up window.

    • Ensure you pick necessary permission(s) for this integration

    • Click Save:


  4. Use the OAuth Access Token to configure the Provisioning, as described below.

  5. Configuration Steps

    In Okta, make sure you have entered the following:

    Now you can configure your Provisioning settings for Workplace by Facebook as follows:

    Deprecating Manager from AD

    As part of Feb 2019 release option Push AD Manager is deprecated. See Troubleshooting Tips for more details.

    1. Check the Enable API Integration box.

    2. Enter the following credentials:

      • Enter your OAuth Access Token.

      • Click Test API Credentials to validate your configuration.


    3. Click Save.

    4. Select To App in the left panel, then select the Provisioning Features you want to enable, then click Save:

    5. workplaceprovisioning2.png

    6. You can now assign people to the app, if needed.

    Schema Discovery

    Workplace by Facebook supports User's Schema Discovery, so you can add extra attributes if available to User's Profile. To do that in Okta:

    1. Navigate to Directory > Profile Editor.

    2. Select the APPS section in the left pane, then find your app in the list.

    3. Check the list of the attributes and if you didn't found what you need, click the Add Attribute to display a list of extended attributes.

    4. Check the attributes you want to add, then click Save.

    You are now able to import and push these User's attributes values from/to Workplace by Facebook.

    Location attribute:

    By default, when creating/updating a Facebook User, Okta populates User Location with comma-separated address properties (street, city, state, etc.). If this behavior does not fit your needs, you can add a Location field to AppUser through Schema Discovery and map it accordingly, as follows:

    1. Run Refresh Attribute List.

    2. Find the Location field in the list of attributes.

    3. Add it to the AppUser profile.

    4. Setup mapping for the Location field from Okta to Workplace by Facebook.

      For example: user.city > location

    Push Group

    Facebook at work doesn't support the remove group feature, but it deletes a group after removal of the last member.

    Removing the last member of a group or trying to push an empty group will automatically delete that group.

    Troubleshooting Tips

    How to set the manager attribute

    If you have a AD > Okta > Facebook configuration, and the manager field doesn't update in Workplace by Facebook after updating it in AD, follow the steps below:


    • Manager attribute must already be available in Facebook.
    • Manager attribute functionality only works if the user's manager is a part of the same AD domain. Okta does not support pulling manager data across multiple domains.
    • Manager attribute should be imported from AD.
    1. Add getManagerUser("active_directory").email > facebookUser.manager mapping.

    2. Update manager for any user in AD.

    3. Import changes to Okta.

    4. Ensure the corresponding Facebook user was updated with new manager.

    Disable/Enable Push AD Manager for existing app instances

    Adding confirmed member results in a push group error

    Adding a confirmed member results in the following push group error: The user is not a member of the parent group:


    1. In your Facebook at Work account, navigate to Admin panel > People.

    2. Check the Account Status for users in the group. No users should be in a Deactivated state.

    Group created, but no members in group in Facebook at Work Admin Panel

    1. In your Facebook at Work account, navigate to Admin panel > Groups.

    2. Locate your group, then Join as Admin to group:

    3. fbw_newb.png


    Our current Workplace Facebook connector is capable of pulling manager/employee relationship from a single AD domain, but for those using provisioning with Okta into Facebook and pulling user data from multiple AD domains, Okta cannot provision users due to an inability to pull these relationships across multiple domains. This is a known limitation that we plan on resolving in the near future.