This article addresses some Frequently Asked Questions (FAQs) about the Apply Mapping on User Create Only and Apply Mapping on User Create and Update AppUser attribute mappings.
- User Lifecycle Management
- Profile Sources
- Profile Editor
- Attribute Mapping
Some confusion might be caused by the use of interchangeable terminology within Okta.
The user attribute mapping configuration settings Apply Mapping on User Create Only (also known as "Create Only”) and Apply Mapping on User Create and Update (also known as "Create and Update”) refer to the Okta AppUser profile behavior. This can be seen in app Mappings (via Directory > Profile Editor > {application name} > Mappings), screenshot example below.
Similarly, the Application Attribute Mappings for Provisioning also have options for "Create" and "Create and Update". These are configuration settings specifically for provisioning pushes to a target app integration (where provisioning is enabled). Provisioning controls are managed via the settings for the respective app's Provisioning tab in the To App section (see the example screenshot below).
This knowledge article only focuses on user attribute mapping configuration settings.
There are many facets involved in Profile Attribute Mapping, for example:
- Upstream App Profile (for example, Active Directory).
- Okta User profile.
- "AppUser" profile (inside Okta, but specific to an application).
- Profile on a downstream application.
A visual representation would be
- Upstream App Profile --/--> Okta User profile --/--> AppUser profile ----> Downstream app.
This article focuses on the AppUser, but for more information, refer to the document About Profile Types.
Create and Update
Apply mapping on user create and update will trigger a profile mapping update for the associated AppUser profile in Okta when a change is detected by one or more attributes in the expressions entered in the mapping fields seen in the left column in this second example screenshot.
Create Only
Apply mapping on user create only refers to the creation of the AppUser profile in Okta. In the example screenshot above, this would be a mapping from a Profile Source such as Active Directory or LDAP, an HRIS such as Workday or BambooHR, CSV Directory, Custom Identity Source, etc. The AppUser profile is the profile associated with the app and linked/assigned to the Okta User profile when an app assignment is created, or the User is imported. In most cases, removing and adding back the assignment will create a new AppUser profile with a new, unique AppUser ID.
Create Only attributes mappings mean that the mapping expression only applies to the creation of the Okta User and AppUser profile association, and intends to leave the attribute frozen in the AppUser profile, and subsequent provisioning events would always push the same value by design. See: Okta Does Not Support Partial Profile Push During Subsequent Profile Update Push from Okta to External Application.
This is useful for strongly enforcing the same attribute value, and the only way a change would be mapped is by destroying and recreating the assignment. Generally, this is not always suitable for attributes that are not expected to update, but rather for attributes where adverse or undesirable behavior could occur should this update happen by accident. These would be attributes such as employee id, the Microsoft Office 365 immutable id, or other such identifier values that would cause serious issues or loss of access should it ever change.
Example
If an attribute mapping is configured as Apply mapping on user create only (see image below), at the point the user is assigned to an Application in Okta (the point at which the AppUser is created in Okta), for example, ServiceNow, the value from the Okta user.Company attribute is used to statically populate the company attribute on the AppUser profile.
For example, upon creation, the User could have settings like the ones below:
- AD Attribute = "ABC"
- Okta profile (user.Company) = "ABC"
- AppUser profile = "ABC"
- Downstream ServiceNow app = "ABC"
From that point on, it does not matter if the Okta attribute user.Company changes to a different value. The AppUser company value will remain the same as it was originally set due to the mapping only being applied to user creation (App User creation in Okta).
- For example, if the AD Attribute (upstream App) was changed to "XYZ" and configured to accept updates, it could appear as:
- AD Attribute = "XYZ"
- Okta profile = "XYZ"
- App user profile = "ABC"
- ServiceNow (Downstream) app = "ABC"
If Okta detects a change on any AppUser attributes, the entire App User profile is pushed from Okta, including unmapped attributes and those configured to apply on creation only. In practice, this means that if the value for "company" was changed directly in an Application Outside of Okta (For example, ServiceNow), Okta detects the change to the AppUser profile (this could be any attribute change and not just the “company” value) and will revert any matching create-only attribute values in ServiceNow.
- For example, if "company" was changed from "ABC" in Service Now to "XYZ", it would revert to "ABC” because that is how the AppUser attribute value for company was statically set at the point of creation.
Conclusion
If the above is not the desired behavior, please map attributes using either "Apply mapping on user create and update" or "Do not map".
A typical Okta integration use case would see all attributes map as either create only or on create and update; however, it is possible to mix and match, setting selected attributes to create and update, and others set to only apply the mapping on creation. For all attributes that are defined, they will be included in a profile push regardless of whether it is populated.
It is important to review the information stored in Okta and the information in downstream applications to ensure that attributes are not unexpectedly overwritten.
How to check the AppUser Profile Values in Okta
To check the AppUsers profile values
- Navigate to Applications > Application > {application name} > Assignments tab.
- Locate the user (or Group) and click on the pencil adjacent to the name (see the screenshot below).
