Setup of UD for Provisioning Skip to main content
https://support.okta.com/help/answers?id=906f0000000blmhiai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
ThomasThomas (Okta, Inc.)  

Setup of UD for Provisioning

Best Answer chosen by Thomas (Okta, Inc.) 
ThomasThomas (Okta, Inc.) 

By now you’ve no doubt heard about Okta’s Universal Directory, or the Okta Expression Language.  We wanted to take an opportunity to talk about some real world examples of how we’ve been using it with some customers to achieve some advanced provisioning functionality.

The Last Shall Be First
A scenario we see quite often is using an alternate format for your display name.  For this example rather than being “John Smith”, we want display name to be “Smith, John”.  With a simple concatenation we can flip the order of the names around.

source.firstName + ", " + source.lastName

Once you understand the syntax it is easy to see how you can manipulate the formatting of any user attribute.

No Email? No Problem!
Another issue we often see when provisioning a new employee account to Okta, particularly from an HR system like Workday is the required email field.  We’ve got a brand new user who doesn’t exist in any IT systems yet, and thus does not yet have an email address, but email is required to create an Okta account.  This can be a real chicken or egg type problem when you’re trying to provision an account to an Active Directory, or Google Apps.

A simple custom mapping allows us to create a placeholder for email so we can provision the account into AD or Google apps where we create a real email address.

The following expression checks to see if the email address is populated in the source application, if it is not, will get the username and add a string to the end.  If the email is there, it will flow as it normally would.

source.email==null?source.userName + "@domainsuffix.com":source.email

Keep in mind, if your users are Okta mastered, they’ll need to have a valid email they can access in order to activate their account, but this can be a great placeholder so you can continue to provision accounts.

Original Author: Cody Suders, Technical Consultant - Professional Services, Okta