<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00009NHZxPCAXOkta Classic EngineLifecycle ManagementAnswered2024-04-17T11:00:46.000Z2023-06-22T17:17:35.000Z2023-06-30T23:37:30.000Z

a4bff (a4bff) asked a question.

June 22, 2023 at 5:17 PM
Automatic Unsuspend by Okta System RealTimeSync (RealTimeSync unsuspended an existing user)

Hi everyone, I'm experiencing an interesting behavior when I try to Suspend an AD or Workday sourced account. Based on the logs, the account state keeps going right back to Active due to a RealTimeSync unsuspend action. Is this because of AD RealTimeSync (JIT provisioning)? I'm not finding much information on why this is occurring, but that is my suspicion. I see when Workday sourced accounts are acted on by the Workday service account, so that makes sense and is traceable, but Okta System (SystemPrincipal) isn't very descriptive.

  • 2 answers
  • 724 views

  • DonF.81354 (Customer)

    Hi! Couple of questions, is Workday your profile source (or at least the primary)? And if so, what is selected in Workday for "When a user is deactivated in the app:"? When I see RealTimeSync I am thinking of Workday is the cause here, but a few of the answers above may help me understand a bit better what is happening. Thanks!

    Selected as Best

  • DonF.81354 (Customer)

    Hi! Couple of questions, is Workday your profile source (or at least the primary)? And if so, what is selected in Workday for "When a user is deactivated in the app:"? When I see RealTimeSync I am thinking of Workday is the cause here, but a few of the answers above may help me understand a bit better what is happening. Thanks!

    Selected as Best

  • a4bff (a4bff)

    Hi Don, I ended up submitting a Support Case and I received a confirmation that my suspicion is correct.

     

    When choosing Suspend from the web admin console, the suspension was triggered, but then the page refreshes which causes a RealTimeSync from AD to Okta (specifically /admin/user/profile/view/{userId}) and that in turn refreshes the account state back to whatever AD has, aka Active. A rather interesting behavior as it defeats the purpose of suspending the account via the web admin.

     

    I'm looking at automating account suspension which will utilize the Okta API, so I don't think I'll have to worry about a "View Profile" event via that method. I don't intend to disable JIT simply because the profile refresh provided by RealTimeSync is useful. At least there's a clear reason why this happens, though I wouldn't call it ideal for anyone using AD JIT who wants to manually Suspend accounts in Okta.

    Expand Post
This question is closed.
Loading
Automatic Unsuspend by Okta System RealTimeSync (RealTimeSync unsuspended an existing user)