We recently held our latest Okta Community Ask Me Anything with Okta Group Product Manager, George Kwon. George tackled questions on provisioning approaches and best practices for customers.
On apps in multi domain environments…
Q: I'm curious to hear what you would recommend for enabling application assignments in a multi domain environment. I would like to assign an application to all users from one of many domains. - Customer John Wood, Director IT Architecture - IAM, Shire Pharmaceuticals
A: If you have a group in an AD domain that contains all the users, you can import that group and assign it applications. An alternative is that you could use Group Membership Rules (a feature available as part of our Provisioning product) to put users into a group based on an attribute on their profile that identifies what domain they are from.
On customers helping customers…
Q: Any thoughts on adding a feature to be able to add links to other sites (no auth needed) to users’ Okta home screen? We currently use a web page with shortcuts for internal and useful external sites, so it would be nice to have the links in Okta and ditch this site. - Customer, James Smith, Infrastructure Analyst, Defaqto
Q: We do this for a few internal sites that use another form of older auth that we don’t want to mess with. I used the Bookmark template and it acts as a link to the site. - Kimberly Fuhrer, IT Security Analyst, Forest City Enterprises
A: That’s right, Kim. James, in the Admin Console, go to "Applications". In the search field, search for "Bookmark App" and click "Add". These apps will link users to the specified URL without asking for username and password.
Q: Any tips for supporting applications that ask for something other than just username/password (such as the date)? - Henry Yeh, Senior Systems Engineer, TurnItIn
A: For apps that support Okta Provisioning, additional attributes can be specified using mappings and during assignment, they will be provisioned to the application. With Universal Directory, you can add custom attributes (using Profile Editor) to any application profile. You can populate values for these attributes using mappings or specify the values during application assignment (to a user or group). Then you can include these attributes in your SAML attribute statements.
On adding new applications to the OAN…
Q: Okta's OAN doesn't have a provisioning connector for a critical app in my enterprise. How do I get a connector prioritized and built so I can automate account provisioning? - Twitter
A: Okta has a deep set of applications in the OAN that support SAML and Provisioning, but not all the applications you use may support provisioning. While Okta continues to develop provisioning integrations, we also make it easy for Developers and ISVs to integrate with Okta on top of the SCIM standard. So, if you have an app where you'd like to automate provisioning and it's not supported in the OAN, tell your software vendor to get in touch with Okta.
For more insight into George’s AMA responses log into the Community to check out the full conversation. Looking for more on provisioning apps at work? Watch this space for more information on keynotes and sessions on Provisioning at Oktane16.