<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007HXj5SCATOkta Classic EngineLifecycle ManagementAnswered2023-11-23T21:12:08.000Z2021-11-08T22:41:55.000Z2021-11-12T19:58:09.000Z

LuisC.55687 (Customer) asked a question.

November 8, 2021 at 10:41 PM
Migrating to Okta-Mastered users

Hello,

 

We recently created the provisioning integration between our HRIS system and Okta, we have been AD-mastered until now, but want to now take advantage of this new integration and become Okta mastered. We have a few questions that we have posted over to support but haven't gotten any luck yet on a response.

 

Hoping the communitiy can help us out and guide us in the right direction, here are our questions:

 

  • Can we keep delegated authentication for users that were created in Okta from our HIRS system integration, these are Okta mastered users with their profile source by our HIRS system, the next step will be for the users to be created in AD but we wouldn't like to cutover and enforce all our users to set up passwords in Okta at once. So we are hoping we can keep delegated authentication on, is this doable?
  • ObjectGUID and DN are required attributes so that Okta can create the users in AD. How can we map this information and how do we determine the correct user OU where the user should land? The mapping doesn't have any of this information.
  • We have the manager's employee number from our HIRS system, can we do some kind of lookup of the managers UPN using the employee ID? couldn't find any lookup functions within the expression language dictionary.

 

Any assistance with the above will be greately appreciated, we've gone over tons of documentation while waiting to hear from support but still no success.

 

Regards,

Luis Chavez Saenz

Sr. Infrastructure Engineer

  • 4 answers
  • 753 views

  • LuisC.55687 (Customer)

    Hi @User16254393570754125507 (Okta)​ ,

     

    Unfortunately, I'm still waiting for a response that's why I posted the question in the community to see if anyone can guide us in the right direction.

     

    Regards,

    Luis

    Expand Post

  • valentinn.74840 (Customer)

    Went through something similar recently, in short here is what you should do for each point:

    1. Password capture in another org/system, kill del auth, have users log in to your main org through the other org via inbound SAML while at the same time syncing the passwords back in your main. Kill the setup once all/most main org users have their passwords set back.
    2. The Okta to AD provisioning allows you to select the dn the users should be created in based on Okta group assignments, GUID is not mappable.
    3. You have these mapping available: https://developer.okta.com/docs/reference/okta-expression-language/#manager-assistant-functions

    First step is based on what I have seen it work for us, you should collaborate with Okta support if they offer a better alternative

    Expand Post

  • LuisC.55687 (Customer)

    Hi @valentinn.74840 (Customer)​ 

     

    Thanks for the response, #2 we were able to get it to work as you suggested. As per #3 we created a workflow to map this information.

     

    Can you please expand on you answer to #1 what exactly do you mean by capturing the password in another org? do you mean a different Okta tenant? We were hoping to keep delegated auth on, but not sure how can we acomplish this.

     

    Regards,

    Luis Chavez

    Expand Post
This question is closed.
Loading
Migrating to Okta-Mastered users