Automated User Provisioning Guide for Okta

Objective

The purpose of this article is to provide direction to Outreach Admins in onboarding customers for Automated User Provisioning for Okta. 

Applies To

• Outreach Admins
• Okta Admins

Before You Begin

• Outreach's cataloged SCIM application is a entirely different application then the custom SAML SSO application. The SCIM and the SSO application cannot be part of the same Okta application. 
• Some Outreach features and options require enablement access. If the features and options outlined in this article are unavailable, contact your AE as applicable.  
• Admin permissions for Okta and Outreach are required to complete this process.
• If you do not see the "Provisioning" tab when attempting to authenticate the Outreach app in Okta, please ensure that you are subscribed to Okta's Lifecycle Management product. If you are unsure if you have this feature as part of your Okta subscription, please reach out to your Okta contact or Okta support as they should be able to assist. 

Features

• Push New Users - New Users created through Okta will also be created in Outreach.
• Push Profile Updates - Updates made to the User's Okta Profile will be pushed to Outreach.
• Push User Deactivation - Deactivating the User or disabling the User's access to the application through Okta will lock the User in Outreach.
  Note: For this application, deactivating a User means removing login access. The User will no longer be able to log into Outreach.
• Reactivate Users - User accounts can be reactivated in the application.
  Note: Reactivating a User reactivates the User in Outreach, allowing the User to log in again. Reactivating a User will not create a new User in Outreach if the user already exists.
• Push Groups - Groups can be pushed to Outreach as Team and Team Members. For more information regarding pushing groups, refer to the applicable Okta support articles.
• Import Users - Outreach Users can be imported to Okta. 

Requirements

This feature is available for specific Account Plans only. Please contact your sales representative for more information.

Step-by-Step Configuration Instructions:

Onboarding Automated User Provisioning is a multi-step process organized into the following categories: 

• Add the Outreach Application in Okta
• Authenticate Outreach App in Okta
• Automated User Provisioning Integration Setup
• Schema Discovery

Add the Outreach App to Okta:

1. In the Okta Admin Console, go to Applications > Applications.
2. Click Add Application.
3. In the Search for an application field, enter Outreach.
4. Select Add for Outreach.
5. Complete the fields on the General Settings page and click Next.
   
   
   
   Note: To configure Single-Sign On options for Outreach using Okta, refer to the Setting up Single Single-On (SSO) with Okta article.
6. Click Done.
7. Note: If you wish to integrate multiple Outreach instances with Okta, refer to the Troubleshooting and Tips section in this article. 
8. If you added the Outreach app previously, on the Okta Admin Console, click Applications and select Outreach in the list of applications.
9. Next, Authenticate Outreach App in Okta

Authenticate Outreach App in Okta:

1. In the Outreach App in Okta, click Provisioning
   
   
2. Click Configure API Integration.
3. Click Enable API Integration.
   
   
4. Enter the Outreach Org ID.
   Note: To find your Org ID, navigate to your Org Sign-In Settings and it will be listed in the URL nested between orgs/ and /setting.
5. Click Authenticate with Outreach.
6. Once authentication is completed, follow the steps in Schema Discovery to customize additional Attribute Mappings between Okta and Outreach. Otherwise, proceed to SCIM Integration Setup to complete the Outreach App set up.
   Note: By default, the Outreach App has the following Attribute Mappings.
   

Automated User Provisioning Integration Setup:

1. Access Okta.
2. Click Applications.
3. Locate and click the recently added Outreach application.
4. Click Provisioning.
   
   
5. Click Edit.
6. Click to enable the following options:
   • Create Users
   • Update User Attributes
   • Deactivate Users
     
     
7. Click Save.
8. Complete the Mapping Attributes for Importing Users into Okta process.

How To Map Attributes for Importing Users into Okta:

1. Access Okta.
2. Click Sign On.
3. Click Edit
   
   
4. Select Email from the Application username format dropdown menu.
   Note: Alternatively, set a custom expression that matches the username convention currently used for the org.
5. Click Save.
   
   
6. Click Provisioning
7. Click To Okta.
8. Click Edit.
   
   
9. Select Custom from the Okta username format dropdown menu.
10. Input appuser.userName in the expression field.
11. Click Import and run an import to pull users from Outreach and assign them to the application in Okta.

Schema Discovery: 

How To Configure Profile Attributes in Okta:

1. Access Okta.
2. Click Directory and select Profile Editor from the dropdown menu.
   
   
3. Click Profile to the right of the applicable application.
   
   
4. Click Add Attribute.
   
   
5. Select the desired data type form the Data type dropdown menu. 
6. Input the applicable information in the Display, Variable, and External name fields.
   Note: The Variable name and External name fields must be the Outreach API name. If you wish to create the Role Name attribute for provisioning Outreach User Roles, use roleName for the Variable and External name fields.
7. input urn:ietf:params:scim:schemas:extension:outreach:2.0:User in the External namespace field. 
8. Input a description to clarify as applicable.
9. Click to select the Define enumerated list of values option if the attribute you're adding needs to match the values in Outreach (e.g., Profile names, Role names).
   Example: If users need to include a selection for an SDR profile, and the SDR profile in Outreach appears as: SDr, then users must add "SDr" as a variable name exactly how it appears in Outreach. The External name field automatically populates with the value from the Variable name field.
10. Input the applicable content in the Display name and Value fields.
    Note: Outreach recommends Users populate this list as it appears in the Profiles page of the Outreach Platform for the Profile Name attribute. For more information regarding profiles in Outreach refer to the Default, Leadership, and Admin Profiles article. 
11. Complete configuring the attribute as applicable. 
12. Click Save or Save and Add Another as applicable.
    
13. Repeat steps 6-13 for all applicable attributes. 
14. Complete the Automated User Provisioning Integration Setup process. 

Troubleshooting and Tips: 

Q: Can I assign Outreach Profiles as a group attribute in Okta?
A: Yes, when you set up the attribute in Okta, leave the User Personal Scope setting unchecked. 

Q: Can I delete Users in Outreach via the Okta integration?
A: No, Okta does not delete Users in Outreach. Instead, deactivating the Okta User or un-assigning the Okta User from the Outreach app in Okta in the corresponding Outreach User to be locked. For more information refer here. 

Q: Can I integrate multiple Outreach instances with my Okta instance?
A: Yes, you need to add an Outreach app per Outreach instance you wish to integrate with your Okta. One Outreach app can only be authenticated with one Outreach instance at a time. This means if you have an Outreach sandbox and an Outreach production instance, you need to add the Outreach app in Okta twice, one authenticated with the Outreach sandbox and one authenticated with the Outreach production instance. In Okta, under the Sign on settings, you can use an expression to manipulate the username that Okta sends to match the email/username conventions for each of your Outreach instances. For example, for your Outreach production, all users are set to send their standard email address as the username. For an Outreach sandbox, you can have an expression set that transforms the email to the desired email/username convention to avoid any username collisions between the two Outreach instances.