Learn how to set up and use provisioning to sync users and groups from Okta to TrackTik.
Overview
You can provision users and groups from Okta to TrackTik to reduce the number of manual additions of each employee or role to TrackTik Cloud. The provisioning process reduces administrative errors and is a great way to save time, ultimately saving money.
With Okta to TrackTik provisioning features, you can make these tasks less manual:
-
Push new users
Any users you create in Okta are created in TrackTik. -
Push profile updates
Profile updates done in Okta are pushed to TrackTik. -
Push user deactivation
Deactivating or removing a user in Okta terminates the user in TrackTik. -
Push groups
Any groups you create or update in Okta are created in TrackTik.
Before you start
Here are some things you must do before you start:
- Get admin access to the Okta dashboard.
- To activate the OAuth2/OIDC feature, let your Customer Success Representative know the domain where you want the provisioning enabled.
- Contact our Support team for a Client ID and Client Secret, which is used later in the setup.
Set up and use provisioning for Okta
Setting up and using provisioning for Okta is a five-part process. We broke it down into digestible steps to make your provisioning process a good one.
Step 1: Make sure to set up Okta SSO for TrackTik
To set up provisioning, complete the steps in the article Set up Okta single sign-on (SSO) for TrackTik.
Step 2: Set up the TrackTik app in Okta
When you finish Step 1, you can set up the TrackTik app.
To set up your TrackTik app:
- If you haven't already, log into Okta as an admin, go to Applications > Applications, and select the TrackTik integration.
- Choose the Provisioning tab and select Configure API Integration.
- Select Enable API Integration, then Save.
- When it appears, select Authenticate with TrackTik.
After the first successful authentication, this changes to Re-authenticate with TrackTik.
- Log into your TrackTik Portal and approve the authorization.
- Go back to Okta and select Save.
You set up the TrackTik app, and now it's authorized.
Step 3: Check out and set up your provisioning settings from Okta to TrackTik
To start provisioning from Okta to TrackTik, you must make sure some settings are turned on.
To check your provisioning settings for Okta:
- Go to Applications > Applications.
- Select the TrackTik app.
- Choose the Provisioning tab.
- Select To App.
By default, Create Users, Update User Attributes, and Deactivate Users are selected. If these checkboxes aren't selected, select Edit and enable them. Remember to save your changes.
Your connection is now ready to send data to TrackTik.
Step 4a: Provisioning users to TrackTik from Okta
Once you check out and set up your provisioning settings, you can now provision users to TrackTik from Okta.
To provision users to TrackTik:
- Follow steps 1 to 2 in Step 2: Set up the TrackTik app in Okta.
- Select the Assignments tab.
- Choose the Assign drop-down menu and select Assign to People.
- In the Search… box, enter the name of the user you want to send to TrackTik.
- Select Assign.
- You can enter more details about the user. When you're done, select Save and Go Back.
The user is now provisioning to TrackTik.
Finding a provisioned user in TrackTik
Users in Okta are converted to employees in TrackTik.
To see a provisioned user in TrackTik:
- Log into your TrackTik Portal.
- Select Employees.
Users are assigned to the HQ region in TrackTik.
- In the Type to filter box, enter the employee's name; the employee shows in your search.
You can also select View for the employee and choose the History tab to see the provisioning details.
Step 4b: Provisioning groups to TrackTik from Okta
Once you set up provisioning, you can provision groups to TrackTik from Okta.
To provision users to TrackTik:
- Follow steps 1 to 2 in Step 2: Set up the TrackTik app in Okta.
- Select the Assignments tab.
- Choose the Assign drop-down menu and select Assign to Groups.
- In the Search… box, enter the name of the group you want to send to TrackTik.
- Select Assign.
- Enter more details about the group if you want. When you're done, select Save and Go Back.
If the group has users, the users are also provisioned with a type of group if they were not individually added to Assignments.
- Choose the Push Groups tab.
- Select the + Push Groups drop-down menu, and choose Find groups by name.
- In the Enter a group to push… box, enter the group name and select it.
- Select Save.
The group is now provisioning to TrackTik.
Finding a provisioned group in TrackTik
Groups in Okta are converted to roles in TrackTik.
To find a provisioned Group in TrackTik:
- Log into your TrackTik Portal.
- Select Settings.
- In General Configurations, select Roles & Security.
The group is provisioned to your Staff Portal Roles.
Get troubleshooting and tips for your provisioning
Here are some things to keep in mind while you are provisioning from Okta to TrackTik:
- When you delete or terminate a user, their status is changed from Active to Terminated, and their username is removed from TrackTik.
- If you reactivate the user in Okta and make a provision, TrackTik creates a new entity for the user because there isn't a match to their username.
- If you are still facing challenges, reach out to our Support team.
Attributes table
These are the current mapped attribute details:
Attribute | Required | Validation | Notes |
Yes | string <email> unique | Is mapped to the employee email attribute and must be unique. | |
Title | No | [0 .. 255 ] characters | Is mapped to the employee jobTitle attribute. |
Primary phone | No | [0 .. 20 ] characters | Is mapped to the employee primaryPhone attribute |
Street address | No* | [1 .. 255 ] characters |
If present, then all other attributes with No* are required. We don't support saving partial addresses. |
Locality | No* | [1 .. 255 ] characters |
If present, then all other attributes with No* are required. We don't support saving partial addresses. |
Region | No* | [1 .. 2] characters |
Should be the Country ISO code. If present, then all other attributes with No* are required. We don't support saving partial addresses. |
Postal code | No* | [1 .. 255 ] characters |
If present, then all other attributes with No* are required. We don't support saving partial addresses. |
Country | No* | [1 .. 2] characters |
Should be the Country ISO code. If present, then all other attributes with No* are required. We don't support saving partial addresses. |
Preferred language | No | Enum, possible values are: "EN_US" "FR" "FR-BE" "FR-FR" "RO" "ES" "ES-ES" "ES-UY" "DE" "DE-AT" "NL" "NL-BE" "PT" "SV" "ZH-CN" "ZH-HK" "TH-TH" "SR-RS" "IT-IT" "TR-TR" "CS-CZ" "HU-HU" "AR-SA" "ID-ID" "VI-VN" "KO-KR" "DA-DK" "FI-FI" "PL-PL" "NO-NO" "JA-JP" |
Mapped to the employee language attribute. Only used when sending communications to the user. |
User type | No | Expected to be constant with the value of User. | |
Division | Yes* |
[1 .. 255 ] characters if sending the TracktikCloud Region Name. Integer value if sending the TrackTik Cloud Region ID. |
When creating an Employee in TracktikCloud, specifying the Region in which the employee will be created is a required field. By default, this field is mapped to the SCIM attribute urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.division, but it can be changed if needed.
|
See also