This page shows how to configure User & Group Sync for Okta.


Video Guide



Quick-start guide


On Okta side:

  1. Log in to your Okta organization as a user with administrator privileges
    Any type of administrator role is fine. If you limit this administrator role to manage only specific groups, only users in those groups are synced. 
    API tokens have the same permissions as the user who creates them, and if the user permissions change, the API token permissions will also change.

  2. when in normal mode, click on the API tab at the top and then on Tokens
    1. in the developer console mode/ classic view, expand Security in the left menu bar, click on API, and then on the Token tab in the top middle
  3. Click on Create Token.
  4. Name your token and click on Create token.
  5. Copy your Token Value, you will only see it once.

User & Group Sync Configuration (https://your-base-url/plugins/servlet/samlsso/usersync)

  1. Click on Create Connector and select Okta
  2. Enter Okta Domain and the token value.
  3. Click Save. You are now ready to sync.


User guide


Log in to your Okta organization as a user with administrator privileges
Any type of administrator role is fine. If you limit this administrator role to manage only specific groups, only users in those groups are synced. 
API tokens have the same permissions as the user who creates them, and if the user permissions change, the API token permissions will also change.


Depending on the mode, the configuration interface looks different in Okta:


Create Okta API Token

Regular UI

  • Click on API (2)
  • Click on Tokens (3)
  • Click on Create Token (4)

okta_create_token

Developer Console/ Classic UI

  • Expand the Security node (1)
  • Click on API (2)
  • Click on Tokens (3)
  • Click on Create Token (4)

okta_security


Name and Create Token

Name the token and create it.


okta_create_token


Copy its value (1), it will be only displayed once. Of course, you can create a new token if you lost the old one.


okta_token_value


Create User & Group Sync Connector For Okta


In your Atlassian application, go to User Sync, click Create Connector, and select Okta.


connector_okta


Add the Okta Domain (without https://), API Token. Use the Save and Test Connection button to check whether Okta's API endpoints are reachable and API permissions are set correctly.


connector_okta_general


If you want to limit the number of users you sync from Okta, you can set this up in the Required Groups tab. If you want to sync all users from Okta, you can skip this configuration step. 


connector_okta_required_groups


In the User Provisioning and Group Provisioning tab, you can change the attribute mapping for the user and define what groups should be assigned to users in case you don't need all groups from Okta. If you leave the settings unchanged, the standard user attributes are synced together with all the groups that have been assigned to the user. 


connector_okta_provisioning


In the Sync Settings section, you can configure the Cleanup Behavior and the Scheduled Synchronization. The clean-up defines what should happen to the user when it is not returned by Okta any more. The default is deactivating the user. By configuring the Scheduled Synchronization, you can have the sync run periodically without manual interaction. When enabled, the sync runs daily at 2 am, but you can change this if you want. 


connector_okta_cleanup

Please ensure that you Save your configuration. 


You are now ready to commence either a simulated or a full sync. By simulating the sync first you will be able to verify your configuration and see what changes User Sync would apply like what users will be added, modified, or not modified. With the full sync, User Sync will apply those changes. Both sync actions will run a full sync and will have the same sync duration. For more information on the sync simulation, please refer to Using the Simulated Sync Feature.


connector_okta_sync_or_simulate


Additional Resources: