To reconfigure any of the General Settings or Sign-On Options, uncheck the Enable provisioning features box, and use the Previous and Next buttons to navigate through the configuration screens.
This guide provides the steps required to configure Provisioning for Workplace by Facebook
The following provisioning features are supported:
Import New Users
New users created in the third party application will be downloaded and turned in to new AppUser objects, for matching against existing OKTA users.
Import Profile Updates
Updates made to a user's profile in the third party application will be downloaded and applies to the profile fields stored locally in OKTA. If the app is the system of record for the user, changes made to core profile fields (email, first name, last name, etc) will be applied to the Okta user profile. If the app is NOT the system of record for the user, only changes made to app-specific fields will be applied to the local user profile.
Import User Schema
User schema in the third party application will be downloaded into Okta.
Push New Users
New users created through OKTA will also be created in the third party application.
Push Profile Updates
Updates made to the user's profile through OKTA will be pushed to the third party application.
Push Password Updates
Updates made to the user's password through OKTA will be pushed to the third party application.
Push User Deactivation
Deactivating the user through OKTA will remove the user from the organization and all teams in the third party application.
Groups and their members can be pushed to remote systems. You can find more information about using group push operations (including Group Push enhancements) here: Using Group Push.
To enable Provisioning Features, you need to first get an OAuth Access Token from Facebook, as described here:
Login to your Workplace by Facebook organization under an Admin Account.
Navigate to Company Dashboard:
Select the Integrations tab, then select the Custom Integrations section.
Click Create Custom Integration.
Click Create Access Token, then copy the Access Token from the pop-up window.
Ensure you pick necessary permission(s) for this integration
Use the OAuth Access Token to configure the Provisioning, as described below.
In Okta, make sure you have entered the following:
Your Facebook Subdomain under the General tab.
Your Organization ID under the Sign On tab.
Now you can configure your Provisioning settings for Workplace by Facebook as follows:
Deprecating Manager from AD
As part of Feb 2019 release option Push AD Manager is deprecated. See Troubleshooting Tips for more details.
Check the Enable API Integration box.
Enter the following credentials:
Enter your OAuth Access Token.
Click Test API Credentials to validate your configuration.
Select To App in the left panel, then select the Provisioning Features you want to enable, then click Save:
You can now assign people to the app, if needed.
Workplace by Facebook supports User's Schema Discovery, so you can add extra attributes if available to User's Profile. To do that in Okta:
Navigate to Directory > Profile Editor.
Select the APPS section in the left pane, then find your app in the list.
Check the list of the attributes and if you didn't found what you need, click the Add Attribute to display a list of extended attributes.
Check the attributes you want to add, then click Save.
You are now able to import and push these User's attributes values from/to Workplace by Facebook.
By default, when creating/updating a Facebook User, Okta populates User Location with comma-separated address properties (street, city, state, etc.). If this behavior does not fit your needs, you can add a Location field to AppUser through Schema Discovery and map it accordingly, as follows:
Run Refresh Attribute List.
Find the Location field in the list of attributes.
Add it to the AppUser profile.
Setup mapping for the Location field from Okta to Workplace by Facebook.
For example: user.city > location
Facebook at work doesn't support the remove group feature, but it deletes a group after removal of the last member.
Removing the last member of a group or trying to push an empty group will automatically delete that group.
If you have a AD > Okta > Facebook configuration, and the manager field doesn't update in Workplace by Facebook after updating it in AD, follow the steps below:
Add getManagerUser("active_directory").email > facebookUser.manager mapping.
Update manager for any user in AD.
Import changes to Okta.
Ensure the corresponding Facebook user was updated with new manager.
Enable: Currently not supported. Existing instances without Push AD Manager options should use EL syntax.
Disable: Contact Okta Support and ask them to enable FACEBOOK_AT_WORK_DISABLE_PUSH_MANAGER_FROM_AD feature flag. After enabling this flag push manager from AD will be disabled and EL syntax will be available.
Adding a confirmed member results in the following push group error: The user is not a member of the parent group:
In your Facebook at Work account, navigate to Admin panel > People.
Check the Account Status for users in the group. No users should be in a Deactivated state.
In your Facebook at Work account, navigate to Admin panel > Groups.
Locate your group, then Join as Admin to group:
Our current Workplace Facebook connector is capable of pulling manager/employee relationship from a single AD domain, but for those using provisioning with Okta into Facebook and pulling user data from multiple AD domains, Okta cannot provision users due to an inability to pull these relationships across multiple domains. This is a known limitation that we plan on resolving in the near future.