Learn how OKTA manages user directories and profiles. This guide covers Universal Directory, directory integrations, user profile attributes, and how to synchronize users from external systems.
Table of Contents
1. Universal Directory
Universal Directory is OKTA's centralized user directory that serves as the single source of truth for user identities. It provides a unified view of all users regardless of where they originate—whether created directly in OKTA, synced from Active Directory, imported from HR systems, or provisioned from other sources.
Universal Directory enables you to:
- Store and manage user profile data in one place
- Map attributes from multiple sources into a unified profile
- Define custom attributes for your organization
- Use profile attributes for dynamic groups and policies
- Provision user data to applications
1.1 Directory Structure
Universal Directory organizes users through:
- Users: Individual user accounts with profiles
- Groups: Collections of users for access control
- Attributes: Data fields stored in user profiles
- Mappings: Connections between directory sources and Universal Directory
2. Directory Types
OKTA supports integration with various directory types to synchronize users and groups:
2.1 OKTA Directory
The OKTA Directory is the default directory where users are created and managed directly in OKTA. This is suitable for:
- Small organizations without existing directories
- Cloud-first organizations
- Organizations using OKTA as the primary identity source
2.2 Active Directory (AD)
Active Directory Integration allows OKTA to sync users and groups from Microsoft Active Directory. This integration:
- Requires OKTA AD Agent installation on domain-joined servers
- Supports one-way or two-way synchronization
- Syncs user attributes, groups, and group memberships
- Supports password synchronization (optional)
- Enables AD authentication for OKTA users
2.3 LDAP
LDAP Integration connects OKTA to LDAP-compliant directories such as OpenLDAP, Oracle Directory, or IBM Directory. Features include:
- User and group synchronization
- Attribute mapping
- LDAP authentication support
- Support for multiple LDAP servers
2.4 HR Systems
OKTA can integrate with HR systems for user provisioning:
- Workday: Employee lifecycle management
- SuccessFactors: SAP SuccessFactors integration
- BambooHR: HR management system
- ADP: Payroll and HR services
- Custom SCIM: Any SCIM-compliant HR system
2.5 Google Workspace / Microsoft 365
Integration with cloud productivity suites:
- User and group synchronization
- Automatic provisioning and deprovisioning
- Attribute mapping
- Password synchronization (optional)
3. User Profiles
A User Profile is a collection of attributes that describe a user in OKTA. Each user has a profile that contains standard attributes (like name and email) and can include custom attributes specific to your organization.
3.1 Profile Structure
User profiles consist of:
- Core attributes: Essential user information (name, email, login)
- Standard attributes: Common fields (phone, title, department)
- Custom attributes: Organization-specific fields
- Directory attributes: Attributes synced from external directories
- Application attributes: Attributes used for application provisioning
3.2 Profile Sources
Profile data can come from:
- Manual entry in OKTA admin console
- CSV import
- Directory synchronization (AD, LDAP)
- HR system integration
- API updates
- Self-service profile updates (if enabled)
4. Profile Attributes
Profile Attributes are the individual data fields stored in user profiles. OKTA provides standard attributes and allows you to create custom attributes.
4.1 Standard Attributes
Common standard attributes include:
- login: User's primary login identifier
- email: Primary email address
- firstName: User's first name
- lastName: User's last name
- middleName: Middle name
- title: Job title
- department: Department name
- costCenter: Cost center code
- organization: Organization name
- division: Division name
- mobilePhone: Mobile phone number
- streetAddress: Street address
- city: City
- state: State or province
- zipCode: ZIP or postal code
- countryCode: Country code
4.2 Custom Attributes
You can create custom attributes to store organization-specific data:
- String: Text values
- Number: Numeric values
- Boolean: True/false values
- Integer: Whole numbers
- Array of strings: Multiple string values
Custom attributes can be used for:
- Dynamic group membership rules
- Application provisioning mappings
- Policy conditions
- Reporting and analytics
4.3 Attribute Mapping
Attribute Mapping connects attributes from external directories to Universal Directory attributes. When configuring directory integration:
- Map source directory attributes to OKTA attributes
- Handle attribute conflicts (which source takes precedence)
- Transform attribute values if needed
- Set default values for missing attributes
5. Directory Integration
Directory Integration connects external directories to OKTA's Universal Directory, enabling user and group synchronization.
5.1 Integration Setup
To set up directory integration:
- Navigate to Directory → Directory Integrations
- Click Add Directory and select directory type
- Configure connection settings (server, credentials, ports)
- Test the connection
- Configure attribute mappings
- Set synchronization schedule
- Enable synchronization
5.2 Active Directory Agent
For Active Directory integration, you need to install the OKTA AD Agent:
- Download agent from OKTA admin console
- Install on domain-joined Windows server
- Configure agent with OKTA organization credentials
- Agent communicates securely with OKTA cloud
- Supports multiple agents for high availability
5.3 Integration Modes
Directory integrations can operate in different modes:
- Import: One-time import of users and groups
- Sync: Continuous synchronization of changes
- Import + Sync: Initial import followed by ongoing sync
- Authentication only: Use directory for authentication without syncing users
6. User Synchronization
User Synchronization keeps user data consistent between OKTA and external directories. OKTA supports various synchronization scenarios.
6.1 Synchronization Direction
Synchronization can be:
- One-way (Inbound): External directory → OKTA
- One-way (Outbound): OKTA → External directory
- Two-way: Bidirectional synchronization (limited support)
6.2 Synchronization Schedule
Synchronization can occur:
- Real-time: Changes synced immediately (for supported directories)
- Scheduled: Periodic sync (e.g., every 15 minutes, hourly, daily)
- Manual: On-demand synchronization triggered by admin
6.3 Synchronized Data
During synchronization, OKTA can sync:
- User accounts (create, update, deactivate)
- User profile attributes
- Groups
- Group memberships
- Passwords (if password sync is enabled)
6.4 Conflict Resolution
When the same user exists in multiple sources, OKTA uses conflict resolution:
- Source priority: Define which directory takes precedence
- Attribute-level priority: Different sources for different attributes
- Manual resolution: Admin resolves conflicts manually
6.5 Best Practices
Best practices for directory integration:
- Use a dedicated service account for directory access
- Test synchronization in a non-production environment first
- Configure appropriate sync schedules based on your needs
- Monitor sync logs for errors
- Set up attribute mappings carefully
- Use filters to sync only necessary users
- Enable password sync only if required
- Document your directory architecture
Summary
OKTA's Universal Directory provides a centralized user directory that can integrate with various external directories including Active Directory, LDAP, HR systems, and cloud productivity suites. User profiles contain standard and custom attributes that can be mapped from multiple sources. Directory integration enables automated user synchronization, ensuring user data remains consistent across systems. Understanding directory types, profile attributes, and synchronization mechanisms is essential for effective user lifecycle management.
0 Comments