The Active Directory (AD) manager attribute does not update in Okta after modification in AD. This occurs because a custom expression uses the getManagerUser("active_directory") function, and this function does not trigger an Okta user profile refresh. Resolve this by using a custom expression that parses the distinguishedName format of the attribute, or by creating a secondary attribute mapping to force a profile refresh.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Active Directory (AD)
- Profile Editor
A custom expression uses the getManagerUser("active_directory") function to pull manager information from AD. The getManagerUser("active_directory") function does not trigger an Okta user profile refresh. The AD application user profile successfully imports the new manager value, but the Okta user profile does not reflect the change because a refresh does not occur. The Okta Expression Language overview developer documentation details this behavior.
How is the Active Directory manager attribute synced to Okta?
Okta provides two methods to resolve this issue. The first method replaces the existing mapping with a custom expression that parses the distinguishedName format. The second method retains the existing mapping and adds a secondary attribute mapping to force a profile refresh.
Parse the distinguishedName format
Review the following custom expression examples to parse the distinguished name format and store the manager attribute as a display name.
- Display the "CN" value as is:
- Example 1:
String.substring(String.substringBefore(appuser.managerDn, ",OU"),3,-1) - Example 2:
String.substringAfter(String.substringBefore(appuser.managerDn, ",OU"), "CN=")
- Example 1:
- If the manager CN uses the format "lastName, firstName" (for example, "CN=Doe , John, OU= ..."), use a similar expression that either ignores the escape character or rearranges the display to "firstName lastName".
- Ignoring the escape character:
String.replace(String.substring(String.substringBefore(appuser.managerDn, ",OU"),3,-1), "\", "" )
- Rearranging the display:
-
String.substringAfter(String.substringBefore(appuser.managerDn, ",OU="), "\, ") + " " + String.substringAfter(String.substringBefore(appuser.managerDn, "\,"), "CN=")
-
- Ignoring the escape character:
Update the attribute mapping in the Okta Admin Console by navigating to the Profile Editor, selecting the Active Directory domain, and entering the chosen expression.
- Go to Directory > Profile Editor and select the Active Directory domain.
- Click Mappings, which opens the "[AD domain] to Okta User" tab by default.
- Enter the chosen expression for the
user.managerattribute. - Click Save Mappings.
How is a profile refresh forced using a secondary attribute?
Retain the existing getManagerUser mapping and add a new mapping to a different attribute that uses a managerDn mapping. This secondary attribute can be a custom attribute and does not require mapping to any downstream applications. The sole purpose of this secondary attribute is to force an Okta user profile refresh when the manager value updates in AD. During the refresh process, Okta evaluates the original getManagerUser mapping and applies the manager update to the Okta user profile.
Create a custom attribute and map it using the manager distinguished name to force a profile refresh.
- Go to Directory > Profile Editor and select the Okta user profile.
- Click Add Attribute and configure a new custom attribute.
- Return to the Profile Editor and select the Active Directory domain.
- Click Mappings, which opens the "[AD domain] to Okta User" tab by default.
- Enter
appuser.managerDnfor the newly created custom attribute. - Click Save Mappings.
NOTE: When updating managerId in Okta using the expression getManagerUser("active_directory").email, Okta requires the manager user to be active for the attribute to update properly.
NOTE: Okta does not support the getManagerUser function for user profiles sourced from multiple Active Directory instances.
