Okta is not pushing an updated Active Directory attribute value to a downstream application (ie Office 365, ServiceNow)Applies to:
- Active Directory as Profile Master
- Office 365
The Okta > Downstream Application attribute mapping is set to use the default expression hasDirectoryUser()?findDirectoryUser
- this expression can successfully create attribute values when Okta provisions a new user object in the downstream application. However, updates to the AD user object will not trigger an application profile update task when this expression is in use
Resolution: Replace the default attribute mapping expression with a strategy that maps from AD > Okta > Application by performing the following steps:
if there is currently no Okta attribute that corresponds to the AD attribute (i.e. ProxyAddresses, ManagerID), create a matching custom attribute in Okta (please refer to the "Add Custom Attributes to a user profile" section in our Profile Editor Guide for details).
- map the Active Directory attribute to the corresponding Okta attribute (please refer to the "Mappings" section in our Profile Editor Guide for details).
- map the Okta attribute to the Application attribute
- if you are encountering this behavior with ServiceNow's ManagerID attribute, you may need to use an expression that populates a custom Okta attribute with a value retrieved from Active Directory, and then map the Okta attribute to ServiceNow's ManagerID attribute. Please consult the "Manager/Assistant Functions" section of our Okta Expression Language Guide for more details.