Using Selective Profile Push Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a0000005ud5saa&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fusing-selective-profile-push-1224771455
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Using Selective Profile Push
Published: Jan 31, 2018   -   Updated: May 15, 2018

okta-doc-source

Using Selective Profile Push

This section specifically explores the Selective Profile Push feature for Universal Directory. For general information about UD, see About Universal Directory.

Profile mapping allows administrators to have precise control over the attributes exchanged during provisioning processes. An import from Active Directory to Okta is one of the more common examples of such an exchange, but it can be applied to any app that integrates with Okta. These exchanges center around how attributes are defined and mapped between two elements: the source of data, and the applications to which users are assigned.

Such mappings can be bi-directional. You can begin with a basic Okta user profile, retaining its default attributes, and simply map those attributes to the app user profile of a target application. This establishes a 1:1 relationship of data fields between these two entities. Or, you can do the reverse, choosing fields from the target app to map app-related fields to the Okta user. Essentially, you are setting the default attribute mappings for each Okta user or app user profile.

To begin creating this relationship, do the following under the Profile Mappings tab:

  1. From the provided list, find the app or directory you wish to map.
  2. Click the Edit Mappings button for the chosen app. The <App> User Profile Mappings page appears.
  3. Note which tab is viewable for the app—<App> to Okta or Okta to <App>.
<App> to Okta Mapping

In this instance, an app user profile contains the source attributes that should map to an Okta user profile—the target for the addition of attributes.

User names hold particular importance in profile mapping. The default username is defined on the Sign-on or Provisioning tab of the app, but this can be changed.

Note: For Active Directory, username is referred to as common name (cn).

If you wish to change this default and define the username in Okta, there are two ways to do this:

Using the Change default button

  1. Click the Change default button. This takes you to the Provisioning page for the app.
  2. Click the Edit button and scroll down to the Import Mapping Rule section.
  3. Use the drop-down menu to select the default username to use when importing and mapping an app user to an Okta user.
  4. Click the Save Mappings button to save your choice.

Warning: If User sets username and password option is selected under the Sign On tab, an error occurs. For details about this setting, see Selective Profile Push.

Using the Override with mapping button

  1. Click the Override with mapping button.
  2. Use the drop-down menu to choose a custom attribute defined for the app. You can also use a custom expression to create a unique username or cn. See Using EL Expressions for details about EL expressions.
  3. Click the Save Mappings button to save your choice.

As you scroll through the page, decide which attributes you would like to change or alter as they map to the user profile fields in Okta. These fields can be defined using the drop-down menu or through adding a custom EL expression. See Using EL Expressions for details about EL expressions.

Towards the end of the page, you may see undefined attributes with the label Add mapping. These fields can be left blank or defined using the same method as the earlier attributes.

Okta to <App> Mapping

In this instance, Okta contains the source attributes that should map to a target app user profile.

Usernames hold particular importance in profile mapping. The default username is defined on the Sign-on or Provisioning tab of the app, but this can be changed.

Note: For Active Directory, username is referred to as common name (cn).

If you wish to change this default and define the username in Okta, there are two ways to do this:

Using the Change default button

  1. Click the Change default button. This takes you the Sign-on page for the app.
  2. Click the Edit button and scroll down to the Default Username section.
  3. Use the drop-down menu to select the default username to use when assigning an application to a user.
  4. Click the Save Mappings button to save your choice.

Warning: If User sets username and password option is selected under the Sign On tab, an error occurs. For details about this setting, see the Selective Profile Push.

Using the Override with mapping button

  1. Click the Override with mapping button.
  2. Use the drop-down menu to choose a custom attribute from the Okta user profile. You can also enter a custom expression to create a unique username. See Using EL Expressions for details about EL expressions.
  3. Click the Save Mappings button to save your choice.

As you scroll through the page, decide which attributes you would like to change or alter as they map to the app user profile fields in the app. These fields can be defined using the drop-down menu or through adding a custom EL Expression. See Using EL Expressions for details about EL expressions.

Towards the end of the page, you may see undefined attributes with the label Add mapping. These fields can be left blank or defined using the same method as the earlier attributes.

Selective Profile Push

Along with mapping, the selective profile push feature allows admins to select which attributes are pushed from Okta to an app when a provisioning event occurs. While mapping may be bi-directional, selective profile push is uni-directional, meaning that this data can only be pushed from Okta to a target app.

To successfully use this feature, the following conditions must be true for local (SWA or SAML), Provisioning-enabled, and non-provisioning apps:

  • Apps with Provisioning capability must have Update User Attributes enabled under the Provisioning tab for the app. This provisioning feature includes a Do not update Username attribute on user profile check box, which gives you the option to exclude user name updates but allow the update of other attributes.
  • For both app types, pushing user names requires administrator control of the username, never the user. Find this setting under Application > Sign on tab > Sign On Methods.

Once the desired mapping is set up, admins can then decide which attributes are pushed when a profile push occurs. Such events can be set using the arrow drop-down menus.

The options available in the list will vary depending on the scenario of your app configurations. The app type, profile master status, and various states of the app all play a role in which options are displayed.

Mapping Option Displays

Drop-down menu options include the following:

  • Apply mapping on user create and update: This pushes data when a user is created and also when there is a change in their profile.
  • Apply mapping on user create only: This pushes data only when a new user is created, and does not automatically push data when a user profile changes.
  • Do Not map: This removes an existing mapping. See Removing an Existing Mapping below.

Removing an Existing Mapping

There are two ways to remove a mapping. Simply use the delete button to backspace the entry from the field, or use the drop-down to choose the Do not map option. When successfully deleted, the label of the attribute switches back to Add mapping.

Post a Comment