Okta Integration: User Provisioning Setup

⏱️ 3 minute read

Okta user provisioning automates the creation of users in Forecast, eliminating the need for manual entry. By centralizing user management within your Okta directory, you ensure consistent security, data accuracy, and compliance across your organization.

This article includes:

• Adding the Forecast provisioning app in Okta
• Configuring user provisioning to Forecast in Okta
• Custom permission profiles provisioning

Adding the Forecast provisioning app in Okta

Before you may begin configuring provisioning to Forecast in Okta, it is necessary to add the Forecast provisioning application in Okta. This whole process may only be done by admins in both Forecast and Okta.

To add Forecast provisioning application in Okta.

1. Head to the Okta Admin Console.
2. Go to the Applications > Applications section.
3. Click Browse App Catalog, search for "Forecast", and click on it.
   
   
4. Click Add Integration.
5. Select Do not display application icon to users, and click Next.
6. In the Sign-On Options, under Credentials Details, set the Application username format to Email.
   
    
7. Click Done.

Configuring user provisioning in Okta

Before proceeding with configuring provisioning, it is important to know what provisioning features the integration supports:

• Push New Users - New users created in OKTA will also be created in Forecast.
• Push Profile Updates - Updates made to the user's profile through OKTA will be pushed to Forecast.
• Push User Deactivation/reactivation - Deactivating the user or disabling the user's access to the application in OKTA will deactivate the user in Forecast.
• Import New Users - New users created in Forecast will be imported and turned into new AppUser objects, for matching against existing OKTA users.

Steps to configure user provisioning:

1. In Forecast, find your SCIM username and password in the admin panel:
   1. Click on Admin in the top bar. 
   2. Select Integrations from the dropdown.
   3. Scroll to the SSO integrations and click Okta. The SCIM username and password will be displayed there.
2. Head to Okta's application section and select the Forecast provisioning app.
3. Click on the Provisioning tab.
4. Click Configure API Integration.
5. Click  Enable API integration and fill in the Username and Password received from Step 1.
6. Click Test API Credentials to enable provisioning. A confirmation message will be displayed once completed.
   
7. Click Save.

8. Go back to the Provisioning tab. In the To App section, click Edit, and tick the 3 boxes next to Enable. Click Save.

   

You can now assign users to this provisioning app.

Custom permission profiles provisioning

During provisioning, permission profile assignment follows this logic:

1. Forecast looks for a Permission Profile matching the Okta userType (case-insensitive).
2. If no match is found, the user is assigned the 'Collaborator' profile in Forecast.
3. If the 'Collaborator' profile does not exist in Forecast, the provisioning process fails.

Permission profiles will not sync unless the userType attribute is both present in the Okta application profile and correctly mapped.

Steps:

1. Open the provisioning application in Okta and click the Provisioning tab.

2. Scroll down to the "Attribute Mappings" section and click Go to Profile Editor.

3. Click + Add Attribute.

4. Enter the exact configuration below:

   • Display Name: User Type
   • Variable name: userType
   • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
     
5. Click Save.
6. Click Mappings.
7. Select Okta User to Forecast.
8. In the next empty box, select userType from the dropdown list.
9. Click Save Mappings, then Apply updates.

Permission profiles will now be provisioned.