Salesforce Automated De-Provisioning - Doesn't seem to work with existing provisioned users Skip to main content
https://support.okta.com/help/answers?id=9062a000000qul4qak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Andy RouseAndy Rouse 

Salesforce Automated De-Provisioning - Doesn't seem to work with existing provisioned users

I'm testing the de-provisioning functionality with OKTA and Salesforce and want to confirm the expected behaviours and any potential work-arounds:
  • It seems that turning on "Provisioning" funtionality for the Salesforce application changes the Assignment screen from a simple single-field form, to a multiple field form (including Profile, Role, Public groups, permission sets, etc.). This is confusing, as we only want to use the de-provisioning functionality to start with. We don't want OKTA to be having any control over these fields in Salesforce.Application assignment after provisioning is turned on
  • After turning off provisioning functionality, this new assignment screen remains. It would be good to understand why these fields are presented (and how the options in them are being presented, even though there should be no link to our Salesforce instance with the provisioning switched off)
  • SCENARIO -  I assign a user to the application manually (and create their Salesforce user manually). I then switch on Provisioning. If I un-assign that user from the application, their Salesforce user isn't de-provisioned. Why is this? Is this expected behaviour? What is the difference between assigning an existing Salesforce user to the Salesforce OKTA application with Provisioning switched on/off. We have thousands of existing Users with OKTA assigments. Will we have to manually de-activate those users as they are un-assigned?
Thanks!
Andy
Chris BarryChris Barry (Okta, Inc.)
Andy, good morning! Enabling Provisioning does make all the other fields associated with Salesforce available for you to edit and configure. In the Admin console, you can navigate to Directory | Profile Editor to see both the Salesforce app profile, and the mappings between Okta and Salesforce. This is by design. You can configure Okta and its integration with Salesforce before the data starts to flow. Okta Lifecycle Management isn't just provisioning and it doesn't start to push or pull data just because you enabled provisioning. You must then separately enable Create Users, Update User Attributes, Deactivate Users, Sync Passwords, and set Salesforce to be a Profile Master, if that is what you would like to do. If you are having issues with users who aren't being deactivated in Salesforce, my guess is you haven't imported those users into Okta so that Okta may map their Okta identities to their Salesforce identities. Why is this? Okta doesn't make assumptions. You can automate Okta by enabling specific actions, but Okta doesn't do things until you first indicate that's what you want it to do. Is this the expected behavior? Yes. What is the difference between assigning an existing Salesforce user to the Salesforce OKTA application with Provisioning switched on/off. You are describing mapping, which is configuration. In terms of runtime actions, that is enabled after you map the users and enable that action. Will we have to manually de-activate those users as they are un-assigned? No! That is the power of Okta!

I *highly* recommend that you attend OKTA ESSENTIALS. Our talented and experienced instructors will show you how to achieve your goals! You can find out more information about that course, and the upcoming schedule. It is our most popular course so we run it frequently! You can learn more about it here: https://www.okta.com/services/training/ If you send me an email (my first name + "." + my last name + "@okta.com", I can assist you in getting into an upcoming class.

Chris Barry
Instructor
Okta
Andy RouseAndy Rouse

Chris,

Thank you for your response. You've clearly taken some time to respond, but I feel like I might not have been clear enough in some instances.

With regards to the Profile mapping - I have removed all of the mappings from the "Profile Editor" for the application, but I still see all of the fields when I'm trying to assign a new user. Is that expected behaviour? Given that all the mappings are switched off, why are they still showing and what happens if I put data into those fields when assigning a user to the Salesforce application?

I didn't clearly indicate enough that I had switched on the "De-provision" setting along with the "Provisioning" when I switched it on. The only tick-box I'd selected was "De-provision" and I left the rest un-ticked. I understand the differences between them and why we may only want to select particular parts of the functionality.

The user who I tested on had been imported into OKTA already and had been assigned to the Salesforce application prior to me switching on the Provisioning functionality and enabling "De-Provision". Additionally, I had checked that the user was correctly mapped to the user in the Salesforce sandbox and they could log-in to the sandbox using OKTA. However, when I unassigned the user from the Salesforce application, their user in Salesforce was not de-activated. The de-provisioning only worked if I re-applied the Salesforce application to this user AFTER I had turned on the provisioning functionality. Your response indicates that this isn't expected behaviour. Is that the case?

I'm not sure that I'm the target market for the OKTA Essentials course. I've been using OKTA for a number of years so am pretty comfortable with the broad functionality. My question relates more to this specific use case.

With thanks,
Andy