What is provisioning

​Provisioning is the function that Okta and SaaS cooperate with API and automatically manage the life cycle of accounts.

Need for provisioning

With the spread of cloud services, it has become necessary to create, change, or abolish accounts and set permissions according to the user status (joining, moving, or retiring) for each service. By using Okta's provisioning function, you can centrally manage the ID status of your company's SaaS simply by managing Okta's user information and attributes.

Provisioning from Okta to Slack (user creation)

By enabling Create Users in the provisioning settings on Okta, users added in Okta will be automatically created in the linked Slack tenant.

Enable Create Users

Users added in Okta are created in Slack

Provisioning from Okta to Slack (user profile update)

User attribute values in Okta and Slack can be linked using Okta's mapping function. For example in the image below,

• first name
• last name
• middle name
• email
• employee numbers
• organization
• divisions
• department

You can see that is linked, but it is possible to link various other attributes.

By activating Update User Attributes, when attribute values are updated on the Okta side, the attribute values linked by this mapping function will be automatically reflected on the SaaS (Slack) side.
(This time, Okta → SaaS is taken as an example, but it is also possible to set up reverse synchronization.)

Mapping example ①

Mapping example ②

Enabling Update User Attributes

Okta to Slack provisioning use case

As a provisioning use case, we will introduce a case where the attribute values of "division" and "department" are automatically updated to the SaaS (Slack) side when an employee is transferred.
This time, I will focus on the red frame part (provisioning from Okta to Slack) in the image below.

Attribute values of "division" and "department" of the transferred employee are changed on Okta (as user information is updated on the Active Directory side).

Attribute values changed on the Okta side (and Active Directory side) are also reflected on the SaaS (Slack) side.

What is single sign-on (SSO)?

It is a mechanism that allows you to sign on to multiple resources (services and applications) with only one authentication by an IdP such as Okta.

Need for SSO

If SSO is not implemented, it is necessary to manage multiple account information for one user, so different authentication is required for each service or application. By introducing SSO, IDs can be managed only by Okta (IdP), so it is possible to log in to each resource simply by signing in to Okta (IdP).

SSO from Okta to Slack

The above explains the flow of SSO to Slack with a user provisioned from Okta to Slack.

When selecting an app from Okta Dashboard and SSO to Slack (IdP-initiated)

1. Sign in to Okta

2. Click Slack app on Okta Dashboard and SSO to Slack

We introduced SSO to Slack this time, but you can SSO to all the applications displayed on the Okta Dashboard by simply clicking the application icon like this.

If you are already signed in to Okta and want to SSO from the Slack login screen (SP-initiated)

All you have to do is open the Slack login screen and click “Sign in with Okta”.