Provisioning and Deprovisioning Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Provisioning and Deprovisioning
Published: Sep 14, 2017   -   Updated: Jun 22, 2018




Provisioning and Deprovisioning

Provisioning features include the provisioning of accounts for new users, deprovisioning accounts for deactivated users, and synchronizing user attributes across multiple directories. Okta’s provisioning features enable you to manage user accounts automatically within applications. This saves time and ensures that your users' access privileges are up to date. Provisioning and deprovisioning are bi-directional, so accounts can be created inside an application and imported into Okta or added to Okta and then pushed to corresponding applications. Centralization into Okta provides your users with a single access point so they don't have to remember multiple usernames and passwords.


Using provisioning allows for some powerful advantages such as

Provisioning provides the following primary features:

  • Account management – Use Okta to create and assign user names, profiles, and permissions and binding your users' accounts to a single corporate user ID and password.
  • Importing users – You can import users from Active Directory (AD), LDAP, or certain apps. You can configure Okta to continuously push user profiles to ensure that your system has the latest updates.
  • Configuring rules and workflows – You can require specific passwords, synchronize and import groups from applications, and automatically deprovision users in Okta, AD, or LDAP.
  • Reports – You can generate reports and audit trails to help you ensure efficient account usage.

For integrations, Okta supports OAuth 2.0-based authentication and the SCIM standard. If an application supports lesser known standards such as SCIM or SPML, Okta can leverage those as well. Similar to its SSO access features, Okta connects to these APIs for you. You can configure Okta with credentials for your API user and select the features you want. Everything else is handled by Okta, including continuous automated testing and updates.

On-premises applications can also be integrated into Okta to enable provisioning. This can be done in one of two ways: leveraging Active Directory (AD) or using web services to manage user accounts in applications:

  • For enterprises that on-board users using a Human Resource Management System (HRMS) like Workday, Okta provisions and deprovisions users into on-premises applications by using AD as a meeting point. You can configure Okta to manage accounts in your AD instance, and Okta will create and update users in AD based on user accounts in Workday. This information can then be used by any on-premises web app that uses AD as its user store.
  • Okta supports provisioning and deprovisioning for any on-premises web app that has a web services API that is available to Okta using a publicly addressable connection. Okta makes calls to that app's web service to create new user accounts, update attributes, and deactivate users as needed based on the user assignment rules configured in Okta.
Provisioning Methods

Okta provides several provisioning methods:

  • AD integration – Use Okta's lightweight, on-premises Active Directory agent to synchronize with your AD configuration. You can set up real-time synchronization and just-in-time (JIT) provisioning to ensure that you always have the latest user profiles and do not have to wait for scheduled imports.
  • LDAP integration – Okta provides integration with several popular LDAP vendors using a lightweight agent. Okta's LDAP agent provides real-time synchronization and JIT provisioning, similar to its AD agent.
  • HR-driven IT – Okta provides automated provisioning from HR (for example, Workday). This type of provisioning is useful for companies that want to use their HR systems as their main user store. AD becomes a downstream provisioning target. This feature provides ongoing profile synchronization and ensures efficient on-boarding.
Accessing Provisioning Features

All provisioning options are located on the Provisioning tab for apps and the Settings tab for directories.

  1. From the Okta Dashboard, go to the Applications menu and scroll down to Applications.
  2. From the Applications page, select the desired app.
  3. Select the Provisioning tab on the app's page.
  4. From the Settings column on the left side of the screen, choose from the three possible configurations of Okta provisioning: To App, To Okta, and API Integration.

For details on enabling each option, see Profile Master and User Life Cycle Management below.

Enhanced Provisioning for Specific Apps

We provide some app-specific provisioning guides that are accessible from the Okta Provisioning tab, in product.

Profile Master and User Life Cycle Management

After provisioning has been enabled, the flow of a user's identity throughout it's different stages is known as a user’s life cycle. A profile master can be the "source" app from which users are imported or the target app to which attributes are sent.

There are three possible configurations of Okta provisioning: To App, To Okta, and API Integration, each of which are accessed under Settings on the left of the screen, as shown below.


To App

This screen contains settings for all information that flows from Okta into the app. Not every feature in the following list is available for every app.

Create Users

Assigns a new app account to each user managed by Okta. Okta does not create a new account if it detects that the username specified in Okta already exists in the app. The user's Okta username is assigned by default.

Update User Attributes

Okta updates users' profiles when the app is assigned. Profile changes made in the app are overwritten with their respective Okta profile values.

Deactivate Users

Okta automatically deactivates user accounts when they are unassigned in Okta or their Okta accounts are deactivated. Okta also reactivates the app account if it is reassigned to a user in Okta.

Exclude username updates

Disallows the downstream application profile from overwriting the Okta user profile when using the profile push feature.

Sync Password

Ensures users' app passwords are always the same as their Okta passwords or allows Okta to generate a unique password for the user. For more details, see Sync Password.

Profile Attribute Mappings

Use this portion of the page to edit attributes and mappings in the Profile Editor.

To Okta

This screen contains settings for all information that flows from the app to Okta. Click the adjacent Edit buttons to make changes in the following sections.


Use this section to schedule imports and dictate a username format that Okta will use for imported users. You can also define a percentage of acceptable app assignments before the Import Safeguard feature is automatically triggered.

User Creation & Matching

Matching rules are used in the import of users from all apps and directories that allow importing. Establishing matching criteria allows you to specify how an imported user should be defined as a new user or mapped to an existing Okta user.

Imported user is an exact match to Okta user if: the match criteria that establishes whether an imported user exactly matches an existing Okta user. Choose any combination from the list of options to establish your criteria. For the new imported user to be considered an exact match, each option that you select must be true. Note that if you choose the third option, the first and second choices are disabled.

Allow partial matches: Partial matching occurs when the first and last name of an imported user matches that of an existing Okta user, but the user’s username or/and email address do not.

Confirm matched users: Select to automate the confirmation or activation of existing users. Unchecked, matches are confirmed manually.

Confirm new users: Select to automate the confirmation or activation of a newly imported user. If this option is selected, you can uncheck it during import confirmation. Note that this feature does not apply for users who already exist in Okta.

Profile & Lifecycle Mastering

Use this section to allow the current app to profile master Okta users. Once enabled, the app appears in the list of profile masters on the Profile Masters page.

Click the Allow <app> to master Okta users button to enable mastery and view the following. This section allows you to determine what happens when a user is deactivated in an app: should they be deactivated, suspended or remain an active user is Okta?

In any case, only the highest priority profile master for that Okta user can deactivate or suspend an Okta user. To verify the highest priority profile master, review the Profile Masters page.

When a user is deactivated in the app

Choose Do Nothing to prevent activity in the app from controlling the user life cycle. This still allows profile master control of attributes and mappings. Otherwise, you can choose between deactivating or suspending the user.

When a user is reactivated in the app
  • Reactivate suspended users: Allows an admin to choose if a suspended Okta user should be reactivated when they have been reactivated in the app.
  • Reactivate deactivated users: Allows an admin to choose if a deactivated Okta user should be reactivated when they have been reactivated in the app.

Okta Attribute Mappings

Use this portion of the page to edit attributes and mappings in the Profile Editor.

API Integration

Some apps require a token to authenticate against their API. Click the Authenticate with App Name button to generate a token. You are redirected to the app where you must authenticate to obtain your token.


Okta's deprovisioning features ensure that people who are no longer with your company do not have access to sensitive applications and documentation. Deprovisioning is also important for compliance reasons and to help you maintain an accurate usage count for your applications.

You can deprovision users in Okta or AD. Users are automatically deprovisioned from supported apps. Admins receive an email describing any apps that require them to manually deprovision users.