User Provisioning
Currently Jostle's User Provisioning API can only be used for integration with Okta or Azure AD. For more information about the User Provisioning API and SCIM standard, please see this article.
About Jostle/Okta integration
Configuration
- Requires a two-part setup: Jostle, then Okta
- Once configured, user provisioning is one-way: Okta to Jostle
Supported provisions
- Push New Users
- New users created in Okta will be created in Jostle.
- Push Profile Updates
- Updates made to a user’s profile in Okta will be pushed to Jostle.
- Push User Deactivation
- Deactivating a user in Okta will deactivate them in Jostle.
- Push User Reactivation
- Reactivating a user in Okta will reactivate them in Jostle.
Setup Part 1: Jostle
Automation Account
Before you begin, you’ll need to create an Automation user in your Jostle platform. This will be the account you’ll use to configure with Okta. Automation users can be created in Admin Settings > User accounts and data > Manage Automation users.
For more details on Automation users and how to create one, see this article.
Once created, the Automation user account must be activated (i.e. logged in to your platform at least once) before it can be used to configure Okta.
NOTE—if you have already set up your Okta user provisioning with an Integration account, that account will be automatically updated to an Automation user.
Manage User Provisioning
All Jostle account subscriptions include SSO/user provisioning features. If they are not appearing on your account, you can contact your Customer Success Manager and they can assist you in getting them added.
The next step is to obtain the API URL and API key from Jostle, which you can do in Admin Settings > User Data To/From Other Systems > Manage User Provisioning (if you do not see "Manage user provisioning" here, contact Support to have this page enabled in your Admin Settings).
NOTE—this page also includes a User Account Settings section where you can automatically invite and/or disable/suspend users:
To obtain the API URL and API key
- On the Manage User Provisioning page, scroll down to the User Provisioning API Details section.
- Locate the Your Base URL field and click the Copy button to its right (and save the URL somewhere you can easily access it later).
- Next, click the Add a new key...button
- On the following screen, go to the Automation User field and use the drop-down menu to select your Integration account.
- In the Provisioning API key description field give your key a name (i.e. “Okta”) and then click the Add button.
- Once your key is generated, make sure to copy it right away and save it where you saved your URL (since this will be the only time your key will appear).
Next, you’ll set up the mapping and then use the API URL and API key to configure the integration in Okta.
Setup Part 2: Okta
Email Mapping and Custom Fields
Jostle/Okta user profile email mapping (ALWAYS REQUIRED):
- Jostle's workEmail field is mapped to Okta's email field.
- Jostle's personalEmail field is mapped to Okta's secondEmail field.
- Jostle also supports two more email addresses, each with their own custom labels:
- Alternate Email 1 and Alternate Email 1 label
- Alternate Email 2 and Alternate Email 2 label
Additional email fields
To make use of the additional email fields and to be able to specify which of the email types is primary, the following needs to be added as custom fields in your Okta profile (which you can do via Okta's Profile Editor).
- Data type: string
- Display name: Alternate Email 1
- Variable name: alternateEmail1
- Description: Alternate email address 1
- Data type: string
- Display name: Alternate Email 2
- Variable name: alternateEmail2
- Description: Alternate email address 2
- Data type: string
- Display name: Alternate Email 1 Label
- Variable name: alternateEmail1Label
- Description: Label for alternate email address 1
- Data type: string
- Display name: Alternate Email 2 Label
- Variable name: alternateEmail2Label
- Description: Label alternate email address 2
- Data type: string
- Display name: Primary
- Variable name: primary
- Description: Field for specifying which email type is the primary email
- Enum: on
- Enum values (Display name - Value):
- Work Email - work
- Personal Email - personal
- Alternate Email 1 - alternate1
- Alternate Email 2 - alternate2
For the alternate emails and for primary email address type to sync to Jostle, the following mapping from your Okta profile to Jostle are required:
- user.alternateEmail1 -> alternateEmail1
- user.alternateEmail2 -> alternateEmail2
- user.alternateEmail1Label -> alternateEmail1Label
- user.alternateEmail2Label -> alternateEmail2Label
- user.primary == 'work' || user.primary == 'personal' || user.primary == 'alternate1' || user.primary == 'alternate2' ? user.primary : 'work' -> emailType
- user.primary == 'work' ? user.email : user.primary == 'personal' ? user.secondEmail : user.primary == 'alternate1' ? user.alternateEmail1 : user.primary == 'alternate2' ? user.alternateEmail2 : user.email -> email
Add the Jostle app
NOTE—if you add your users to the app before enabling integration and turning on user provisioning, you will need to reassign them afterwards in order for them to be recognized and synced.
If you haven't done so already, sign into Okta and download the Jostle app (Okta > Add Apps > Search "Jostle" > Add).
Configuration
- In Okta, click Applications in the top bar and then select your Jostle app.
- In the app, go to Provisioning and then under SETTINGS click Integrations
- If you see a “Provisioning is not enabled” screen, click the Configure API integration button.
- On the next screen, check the box next to Enable API integration and click Save.
- Go down to the Base URL field and enter the URL you copied from Jostle.
- Then, in the API Token field, enter the API key you generated in Jostle.
- Right below those fields, click the Test API credentials button (a successful verification message should appear at the top of the screen).
- Click Save
0 Comments