<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7UeHSAVOkta Classic EngineLifecycle ManagementAnswered2025-11-06T09:00:21.000Z2017-12-11T20:15:47.000Z2019-11-06T22:18:08.000Z

lnu71 (lnu71) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
How to populate the Okta "manager" attribute from Active Directory
Hello,

 

We currently have AD integrated into Okta and set as the Profile Master. In the process of setting up various other application integrations with Okta, we have run across a need to populate "manager" information to another application. I noticed that this field is not being automatically mapped from AD to Okta.

 

The "managerDn" attribute from AD shows on a users Profile page in Okta, but there's no mapping to populate that information into the users "manager" attribute in Okta. I tried mapping the "manager" to "managerDn" hoping it was somehow pre-defined to only pull the managers name, unfortunately it populated the entire distinguished name.

 

How can I get Okta to populate the "manager" attribute from the appropriate information that's already defined in Active Directory?
  • 10 answers
  • 11.74K views

  • vasi.dragomir1.5102194121693098E12 (Okta, Inc.)

    I understand from your description that when you try to map the Manager attribute to users using the "managerDn" does populate the entire distinguished name not the appropriate information that's already defined in Active Directory. 

     

    You can try to use a diffrent okta expression language than the "managerDn".

     

    The following Okta develope page can help you to find apropriate okta expression language that may responde to your needs 

     

    https://developer.okta.com/reference/okta_expression_language/

     

    You can find several usefull expressions under "Manager/Assistant Functions" topic 

     

     

    For example I try to use : "getManagerUser("active_directory").firstName " instead of predefined "managerDn" 
    Expand Post
    Selected as Best

  • vasi.dragomir1.5102194121693098E12 (Okta, Inc.)

    I understand from your description that when you try to map the Manager attribute to users using the "managerDn" does populate the entire distinguished name not the appropriate information that's already defined in Active Directory. 

     

    You can try to use a diffrent okta expression language than the "managerDn".

     

    The following Okta develope page can help you to find apropriate okta expression language that may responde to your needs 

     

    https://developer.okta.com/reference/okta_expression_language/

     

    You can find several usefull expressions under "Manager/Assistant Functions" topic 

     

     

    For example I try to use : "getManagerUser("active_directory").firstName " instead of predefined "managerDn" 
    Expand Post
    Selected as Best

  • lnu71 (lnu71)

    Thanks Vasile for the info, that's exactly what I was looking for.

     

    To expand upon your response just a little bit for anyone else who may see this (as the developer link provided doesn't really go into much detail on this particular section):

     

    The ".firstName" portion of the "getManagerUser("active_directory").firstName" expression mentioned above, is referring to one of the attributes that is being imported from Active Directory (you can see the full list of available attributes by looking at the active_directory profile in the Profile Editor section of Okta). This means that you can select virtually any attribute that is being imported from AD.

     

    In my case I was wanting the full name for the manager, which is imported via the "displayName" attribute. So, the expression ended up being "getManagerUser("active_directory").displayName"
    Expand Post

  • 67cry (67cry)

    The below is working for us, give it a try.

     

    getManagerAppUser("active_directory", "active_directory").firstName + " " + getManagerAppUser("active_directory", "active_directory").lastName

  • 8q3vh (8q3vh)

    Hi,

     

    We have an issue with this solution, as when the user's manager is updated, it does not get refreshed in the user's profile, which is working as designed according to the documentation.

     

    Any other way to do this as this is not suitable is the information does not get updated.....

     

    Thanks

     

    Aurelien Thouard

    Expand Post

  • 67cry (67cry)

    The above has been working for us since July, no issues reported. Are you running Constant AD Syncs? We run them every hour which is the lowest we can set it too.

  • 8q3vh (8q3vh)

    Hi Pedro,

    Yes, tried JIT and AD import and this was not refreshing the entries in the user's profile.

    We finally resolved our issue by mapping the user's managerDN from AD to Okta's user profile.

    This guarantees that the user's profile gets refreshed and updated everytime the manager is updated, ensuring that the result of the getManagerAppUser function gets stored as required.

    Expand Post

  • OktaQ.11030 (Customer)

    This should work in most environments, (substringBefore( substringAfter(appuser.managerDn, "="), ",")) 

    This will start the output after the first "=" in "CN=" and end the output before the first "," before ",OU=" Any example would be CN=Manager Name,OU=Users,OU=Sub Department,OU=Department,OU=Location,OU=domain,DC=int,DC=contoso,DC=com The output would be "Manager Name"

    Expand Post

  • 65v2c (65v2c)

    I am experiencing something similar. I can get the values updated in the user's okta profile but when attempting to send to O365, the manager filed just shows blank. I am using Universal Sync if that helps anything. I cannot find anything that tells me what format that field is expecting to receive. I've tried to send display name, first name, last name, email address and object ID of the manager but none of them show up. Thoughts?

    Expand Post

  • ituik (ituik)

    This how i get manager email from active directory:

    getManagerUser("active_directory").email 

     

    First+Lastname : getManagerUser("active_directory").firstName + " " + getManagerUser("active_directory").lastName

This question is closed.
Loading
How to populate the Okta "manager" attribute from Active Directory