This article provides answers to frequently asked questions about Integrations (Connectors) for Entitlement Management.
- For more information about Entitlement Management, refer to Frequently Asked Questions About Entitlement Management
- For more information about the Entitlement Management Platform, refer to Frequently Asked Questions About Entitlement Management Platform
- For more information about Governance for Entitlements, refer to Frequently Asked Questions About Governance for Entitlements
- For more information about Integration with Access Requests and Access Certifications, refer to Frequently Asked Questions About Integration with Access Requests and Access Certifications
- For more information about Okta Identity Governance, refer to Identity Governance FAQs
Table of Contents
Which applications are eligible for Entitlement Management in my Okta org?
For which applications does Okta support out-of-the-box connectors for Entitlement Management?
Can I use Entitlement Management with an application for which Okta does not have a connector?
Can I turn on Entitlement Management for my existing applications that are configured for provisioning?
What is the recommended implementation to use Entitlement Management for an already configured application for provisioning?
Will Okta automatically detect new entitlements created in the downstream system?
What are the recommended provisioning configurations for the 5 OOTB connectors?
Will Okta automatically detect what entitlements a user has in the downstream system?
What happens to users if their Office 365 licenses are revoked in Azure AD?
What happens to users if their entitlements are revoked in Salesforce, NetSuite, Google Workspace, or Box?
Are there any additional known limitations with out-of-the-box connectors?
Which applications are eligible for Entitlement Management in my Okta org?
|
Application Type / Configuration |
Can this app be opted into the Governance Engine? | ||
|---|---|---|---|
|
Template Apps (Accessed through new App Integration) |
OIDC |
Yes | |
|
SAML |
Yes | ||
|
SWA |
No | ||
|
API Services |
No | ||
|
Template Apps (Accessed through OIN) |
Bookmark (from OIN) |
No | |
|
SCIM Template App (from OIN) |
Yes | ||
|
OIN Apps |
|
Provisioning is enabled |
No |
|
Provisioning is not enabled |
Yes | ||
|
Old app instance “Google Workspace” |
No | |
|
New App Instance of “Google Workspace” |
Yes | ||
|
Provisioning is enabled |
No | |
|
Provisioning is not enabled |
Yes | ||
For which applications does Okta support out-of-the-box connectors for Entitlement Management?
View the entire list of supported out-of-the-box- connectors at Apps with entitlement support.
Can I use Entitlement Management with an application for which Okta does not have a connector?
Yes, for applications that Okta is not supporting out-of-the-box, customers can leverage the options below:
- Workflows - To build entitlements discovery and user/entitlement provisioning to the app
- Partners - Okta partners (IC Consult and BeyondID) are building connectors for SAP and Oracle EBS to provide additional coverage. Customers can also contact these partners for additional connectors, availability, and pricing
Can I turn on Entitlement Management for my existing applications that are configured for provisioning?
Not at this time. If your app instance has been set up for provisioning already, you cannot enable Entitlement Management for that app instance.
If you need to use Entitlement Management for any of the 5 out-of-the-box connectors, you may create a new app instance and enable Entitlement Management on that app instance before enabling provisioning.
Enablement of existing app instances will be available in H1CY24.
What is the recommended implementation to use Entitlement Management for an already configured application for provisioning?
If you already use one of the top 5 out-of-the-box integrations for provisioning, then the recommended implementation is to create a new app instance, move over all your assignments and provisioning logic to the new app instance, and retire the existing app instance.
To get up and running faster when creating a new app instance, make sure to run a full import to bring in all of the user’s profile and entitlement values in the downstream system.
Okta does not support migrations of existing app instances at this time.
Will Okta automatically detect new entitlements created in the downstream system?
Okta does not automatically detect new entitlements created in the downstream system today. To pull in new entitlements, Admins can use any of the following approaches:
- If provisioning is enabled, a full import will fetch new entitlements.
- Admins can go to the provisioning settings on the app instance and then click > Edit > Save. This action pulls the app’s entitlement values from the downstream system into Okta.
What are the recommended provisioning configurations for the 5 OOTB connectors?
The recommended path from Okta is:
- Enable Governance Engine on an app instance that has provisioning turned off.
- Enable provisioning AFTER the Governance Engine was enabled on the app instance.
- Enable, at least, “Create User” AND “Update User” permissions for provisioning settings under “To App” for Okta to push Entitlement changes to the downstream application.
Will Okta automatically detect what entitlements a user has in the downstream system?
When doing an Import, Okta will be able to fetch any entitlements that are granted to the user in the downstream system. If the entitlements for the user in the downstream system are different than the entitlements granted for the user in Okta, then the downstream system is always treated as the source of truth, and all existing entitlements in Okta, for that user, will be overwritten with their actual entitlements in the downstream system.
What happens to users if their Office 365 licenses are revoked in Azure AD?
If a user’s licenses are removed in Azure AD, and they no longer have any assigned licenses, the user will be unassigned from the Office 365 app in Okta upon import, and the user will lose access to the Office 365 application.
What happens to users if their entitlements are revoked in Salesforce, NetSuite, Google Workspace, or Box?
If a user’s entitlements are revoked in these apps, then the users will have blank entitlements upon the next import. The user will still be assigned to the app.
Are there any additional known limitations with out-of-the-box connectors?
- Google Workspace
- Entitlement Management can only be enabled for new Google Workspace app instances.
- Existing app instances for Google will not support Entitlement Management regardless of the provisioning state.
- At this time, Google Workspace does not support standard roles. Standard roles are on the roadmap for CY24.
- Office 365 User and Universal Sync
- Entitlement Management cannot be used in conjunction with User or Universal Sync for Office 365.
- If Entitlement Management is enabled for an app instance, admins will not see the option to select User/Universal sync for provisioning. License Only and Profile Sync options will be available.
- Recommended Salesforce Entitlement Configurations
- A profile is a required Salesforce entitlement. Assigning users without a Profile will fail. Including Profile in commonly assigned bundles and policies will ensure provisioning to Salesforce is successful.
- Entitlement Description
- If entitlements are pulled into Okta via out-of-the-box connectors for any of the 5 app instances, admins will not be able to add/update the description for those individual entitlements
- You can still add a description to entitlement bundles.
