Set up and use provisioning for Okta

Learn how to set up and use provisioning to sync users and groups from Okta to TrackTik.

Overview

You can provision users and groups from Okta to TrackTik to reduce the number of manual additions of each employee or role to TrackTik Cloud. The provisioning process reduces administrative errors and is a great way to save time, ultimately saving money.

With Okta to TrackTik provisioning features, you can make these tasks less manual:

  • Push new users
    Any users you create in Okta are created in TrackTik.
  • Push profile updates
    Profile updates done in Okta are pushed to TrackTik.
  • Push user deactivation
    Deactivating or removing a user in Okta terminates the user in TrackTik.
  • Push groups
    Any groups you create or update in Okta are created in TrackTik.

provisioningtoapp.png


 

Before you start

Here are some things you must do before you start:

  • Get admin access to the Okta dashboard.
  • To activate the OAuth2/OIDC feature, let your Customer Success Representative know the domain where you want the provisioning enabled.
  • Contact our Support team for a Client ID and Client Secret, which is used later in the setup.

 

Set up and use provisioning for Okta

Setting up and using provisioning for Okta is a five-part process. We broke it down into digestible steps to make your provisioning process a good one.

 

Step 1: Make sure to set up Okta SSO for TrackTik

To set up provisioning, complete the steps in the article Set up Okta single sign-on (SSO) for TrackTik.

 

Step 2: Set up the TrackTik app in Okta

When you finish Step 1, you can set up the TrackTik app.

To set up your TrackTik app:

  1. If you haven't already, log into Okta as an admin, go to Applications > Applications, and select the TrackTik integration.
    selecttracktikokta.png
  2. Choose the Provisioning tab and select Configure API Integration.
    Picture2.png
  3. Select Enable API Integration, then Save.
    Picture3.png
  4. When it appears, select Authenticate with TrackTik.
    After the first successful authentication, this changes to Re-authenticate with TrackTik.
    authwtracktik.png
  5. Log into your TrackTik Portal and approve the authorization.
  6. Go back to Okta and select Save.
    re-auth.png

You set up the TrackTik app, and now it's authorized. 

 

Step 3: Check out and set up your provisioning settings from Okta to TrackTik

To start provisioning from Okta to TrackTik, you must make sure some settings are turned on.

To check your provisioning settings for Okta:

  1. Go to Applications > Applications.
  2. Select the TrackTik app.
  3. Choose the Provisioning tab.
  4. Select To App.

By default, Create Users, Update User Attributes, and Deactivate Users are selected. If these checkboxes aren't selected, select Edit and enable them. Remember to save your changes.

provisioningtoapp.png

Your connection is now ready to send data to TrackTik.

 

Step 4a: Provisioning users to TrackTik from Okta

Once you check out and set up your provisioning settings, you can now provision users to TrackTik from Okta.

To provision users to TrackTik:

  1. Follow steps 1 to 2 in Step 2: Set up the TrackTik app in Okta.
  2. Select the Assignments tab.
  3. Choose the Assign drop-down menu and select Assign to People.
  4. In the Search… box, enter the name of the user you want to send to TrackTik.
  5. Select Assign.
  6. You can enter more details about the user. When you're done, select Save and Go Back.

The user is now provisioning to TrackTik.

 

Finding a provisioned user in TrackTik

Users in Okta are converted to employees in TrackTik.

To see a provisioned user in TrackTik:

  1. Log into your TrackTik Portal.
  2. Select Employees.
    Users are assigned to the HQ region in TrackTik.
  3. In the Type to filter box, enter the employee's name; the employee shows in your search.

You can also select View for the employee and choose the History tab to see the provisioning details.

 

Step 4b: Provisioning groups to TrackTik from Okta

Once you set up provisioning, you can provision groups to TrackTik from Okta.

To provision users to TrackTik:

  1. Follow steps 1 to 2 in Step 2: Set up the TrackTik app in Okta.
  2. Select the Assignments tab.
  3. Choose the Assign drop-down menu and select Assign to Groups.
  4. In the Search… box, enter the name of the group you want to send to TrackTik.
  5. Select Assign.
  6. Enter more details about the group if you want. When you're done, select Save and Go Back.
    If the group has users, the users are also provisioned with a type of group if they were not individually added to Assignments.
  7. Choose the Push Groups tab.
  8. Select the + Push Groups drop-down menu, and choose Find groups by name.
  9. In the Enter a group to push… box, enter the group name and select it.
  10. Select Save.

The group is now provisioning to TrackTik.

 

Finding a provisioned group in TrackTik

Groups in Okta are converted to roles in TrackTik.

To find a provisioned Group in TrackTik:

  1. Log into your TrackTik Portal.
  2. Select Settings.
  3. In General Configurations, select Roles & Security

The group is provisioned to your Staff Portal Roles.


 

Get troubleshooting and tips for your provisioning

Here are some things to keep in mind while you are provisioning from Okta to TrackTik:

  • When you delete or terminate a user, their status is changed from Active to Terminated, and their username is removed from TrackTik.
  • If you reactivate the user in Okta and make a provision, TrackTik creates a new entity for the user because there isn't a match to their username.
  • If you are still facing challenges, reach out to our Support team.

 

Attributes table

These are the current mapped attribute details:

Attribute Required Validation Notes
Email Yes string <email> unique Is mapped to the employee email attribute and must be unique.
Title No [0 .. 255 ] characters Is mapped to the employee jobTitle attribute.
Primary phone No [0 .. 20 ] characters Is mapped to the employee primaryPhone attribute
Street address No* [1 .. 255 ] characters

If present, then all other attributes with No* are required.

We don't support saving partial addresses.

Locality No* [1 .. 255 ] characters

If present, then all other attributes with No* are required.

We don't support saving partial addresses.

Region No*  [1 .. 2] characters

Should be the Country ISO code.

If present, then all other attributes with No* are required.

We don't support saving partial addresses.

Postal code No*  [1 .. 255 ] characters

If present, then all other attributes with No* are required.

We don't support saving partial addresses.

Country No* [1 .. 2] characters

Should be the Country ISO code.

If present, then all other attributes with No* are required.

We don't support saving partial addresses.

Preferred language No Enum, possible values are: "EN_US" "FR" "FR-BE" "FR-FR" "RO" "ES" "ES-ES" "ES-UY" "DE" "DE-AT" "NL" "NL-BE" "PT" "SV" "ZH-CN" "ZH-HK" "TH-TH" "SR-RS" "IT-IT" "TR-TR" "CS-CZ" "HU-HU" "AR-SA" "ID-ID" "VI-VN" "KO-KR" "DA-DK" "FI-FI" "PL-PL" "NO-NO" "JA-JP"

Mapped to the employee language attribute.

Only used when sending communications to the user.

User type No Expected to be constant with the value of User.  
Division Yes*

[1 .. 255 ] characters if sending the TracktikCloud Region Name.

Integer value if sending the TrackTik Cloud Region ID.

When creating an Employee in TracktikCloud, specifying the Region in which the employee will be created is a required field. By default, this field is mapped to the SCIM attribute urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.division, but it can be changed if needed.


When mapped to the default division attribute, we accept two types of values to identify the Region where the user should be created. If the value is a string and the transformation for the region is enabled, we will find the Region Name that matches the string submitted.
If the value is an integer, we will try to find the Region with the ID that matches the value.


If a region is found, that region is used to create the user. If no region is found, the user is created in the default region configured on the TracktikCloud mapping.


 

See also

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section