Automated User Provisioning Guide for Okta
This integration with Okta is currently under development and is not yet available to customers. To learn more about this feature, please submit a request to the Outreach Support Portal.
The purpose of this article is to provide direction to Outreach Admins in onboarding customers for Automated User Provisioning for Okta.
- Outreach Admins
- Okta Admins
- This integration with Okta is currently under development and is not available to all customers. For more information contact your AE as applicable.
- Admin permissions for Okta and Outreach are required to complete this process.
- Push New Users - New Users created through Okta will also be created in Outreach.
- Push Profile Updates - Updates made to the User's Okta Profile will be pushed to Outreach.
- Push User Deactivation - Deactivating the User or disabling the User's access to the application through Okta will lock the User in Outreach.
Note: For this application, deactivating a User means removing login access. The User will no longer be able to log into Outreach.
- Reactivate Users - User accounts can be reactivated in the application.
Note: Reactivating a User reactivates the User in Outreach, allowing the User to log in again. Reactivating a User will not create a new User in Outreach if the user already exists.
- Push Groups - Groups can be pushed to Outreach as Team and Team Members. For more information regarding pushing groups, refer to the applicable Okta support articles.
- Import Users - Outreach Users can be imported to Okta.
This feature is available for specific Account Plans only. Please contact your sales representative for more information.
Step-by-Step Configuration Instructions:
Onboarding Automated User Provisioning is a multi-step process organized into the following categories:
- Add the Outreach Application in Okta
- How To Create an OAuth Application in Outreach
- Authenticate Outreach App in Okta
- Automated User Provisioning Integration Setup
- Schema Discovery
Add the Outreach App to Okta:
- In the Okta Admin Console, go to Applications > Applications.
- Click Add Application.
- In the Search for an application field, enter Outreach.
- Select Add for Outreach.
- Complete the fields on the General Settings page and click Next.
Note: To configure Single-Sign On options for Outreach using Okta, refer to the Setting up Single Sing-On (SSO) with Okta article.
- Click Done.
- If you added the Outreach app previously, on the Okta Admin Console, click Applications and select Outreach in the list of applications.
- Next, Create an OAuth Application in Outreach.
How To Create an OAuth Application in Outreach:
- Access the Outreach Platform.
- Navigate to https://accounts.outreach.io/oauth/applications/new
- Input Okta Automated User Provisioning in the Name field (or a name of your choice).
- Input the following string in the Redirect URI field, replacing <Okta appName> with the Okta application name captured in Step 14 of the SCIM Integration Setup process:
- https://system-admin.okta.com/admin/app/cpc/<Okta appName>/oauth/callback
- https://system-admin.okta.emea.com/admin/app/cpc/<Okta appName>/oauth/callback
- https://system-admin.oktapreview.com/admin/app/cpc/<Okta appName>/oauth/callback
- https://system-admin.trexcloud.com/admin/app/cpc/<Okta appName>/oauth/callback
- https://system-admin.okta1.com:1802/app/cpc/<Okta appName>/oauth/callback
- Replace Okta appName with the Okta application name.
Note: To find the Okta appName, navigate back to the Outreach App in Okta. The browser URL contains the app name needed for configuring the OAuth application in Outreach. The URL path: /admin/app/<appName>/instance/… where <appName> is the name of the Outreach App in Okta.
- Click Save.
Authenticate Outreach App in Okta:
- In the Outreach App in Okta, click Provisioning
- Click Configure API Integration.
- Click Enable API Integration.
- Enter the Outreach Org ID. Note: Access the Outreach Platform and click the user’s initials in the bottom left corner of the navigation sidebar and click Change Login Credentials (do not change anything). The org_guid is nested between org/ and /user of the URL. Example: 8f149a67-04a67-04ba-11e6-940a-02c9a687c33b is the org_guid of the URL accounts.outreach.io/orgs/8f149a67-04a67-04ba-11e6-940a-02c9a687c33b /users/499 as illustrated in the .GIF below:
- Click Authenticate with Outreach. Note: Make sure you created an OAuth application in the corresponding Outreach instance before authenticating. Follow the steps in How to Create an Application in Outreach for an Org to create the corresponding OAuth application in Outreach.
- Once authentication is completed, follow the steps in Schema Discovery to customize additional Attribute Mappings between Okta and Outreach. Otherwise, proceed to SCIM Integration Setup to complete the Outreach App set up. Note: By default, the Outreach App has the following Attribute Mappings.
Automated User Provisioning Integration Setup:
- Access Okta.
- Click Applications.
- Locate and click the recently added Outreach application.
- Click Provisioning.
- Click Edit.
- Click to enable the following options:
- Create Users
- Update User Attributes
- Deactivate Users
- Click Save.
- Complete the Mapping Attributes for Importing Users into Okta process.
How To Map Attributes for Importing Users into Okta:
- Access Okta.
- Click Sign On.
- Click Edit
- Select Email from the Application username format dropdown menu. Note: Alternatively, set a custom expression that matches the username convention currently used for the org.
- Click Save.
- Click Provisioning
- Click To Okta.
- Click Edit.
- Select Custom from the Okta username format dropdown menu.
- Input appuser.userName in the expression field.
- Click Import and run an import to pull users from Outreach and assign them to the application in Okta.
How To Create Profile Attributes in Okta:
- Access Okta.
- Click Directory and select Profile Editor from the dropdown menu.
- Click Profile to the right of the applicable application.
- Click Add Attribute.
- Select string from the Data type dropdown menu.
- Input the applicable information in the Display, Variable, and External name fields. Note: The Variable name and External name fields must match 1:1 with the values listed in step 13. Example: If users need to include a selection for an SDR profile, and the SDR profile in Outreach appears as: SDr, then users must add “SDr” as a variable name exactly how it appears in Outreach. The External name field automatically populates with the value from the Variable name field.
- Input urn:ietf:params:scim:schemas:extension:outreach:2.0:User in the External namespace field.
- Input a description to clarify as applicable.
- Click to select the Define enumerated list of values option.
- Input the applicable content in the Display name and Value fields. Note: Outreach recommends users populate this list as it appears in the Profiles page of the Outreach Platform. For more information regarding profiles in Outreach, refer to the Default, Leadership, & Admin Profiles article.
- Complete configuring the attribute as applicable.
- Click Save or Save and Add Another as applicable.
- Repeat steps 6-13 for the remaining attributes:
- custom5 Note: The profileName attribute is required. Confirm the External Name for the custom fields is lowercase.
- Complete the Automated User Provisioning Integration Setup process.
Troubleshooting and Tips:
Q: Can I assign Outreach Profiles as a group attribute in Okta?
A: Yes, when you set up the attribute in Okta, leave the User Personal Scope setting unchecked.
Q: Can I delete Users in Outreach via the Okta integration?
A: No, Okta does not delete Users in Outreach. Instead, deactivating the Okta User or un-assigning the Okta User from the Outreach app in Okta in the corresponding Outreach User to be locked. For more information refer here.