Download the latest version from the releases and run the installer on the server that has the FIM synchronization service installed.
Once the management agent has been installed, you may need to restart the FIM Synchronization Service Client application if you do not see the Okta (Lithnet) management agent type listed.
| Setting | Description |
|---|---|
| Tenant URL | This is the URL of your Okta domain. Be sure that you DO NOT include the -admin suffix that appears when visiting the admin console of your tenant |
| API key | Create an API key using the guide provided by Okta |
| Log file | Specify the path to a location where the log file will be created. Ensure that the FIM sync engine service account has access to write to this location |
These settings control the behaviour of the management agent.
This will include groups that are built into Okta itself. These groups have a type of BUILT_IN within Okta itself.
Allows the management agent to import groups with a type of APP_GROUP. These are typically created by external applications, such as the Active Directory agent.
The management agent will always import groups of type OKTA_GROUP when the group object class is selected in the Select Object Types page of the management agent configuration.
If the management agent is with a deprovisioning action of 'Stage a delete of the object on the next run', you can configure the specific way that objects are deleted.
- Deactivate - Users are deactivated, but not deleted. Deactivated users will not be seen by FIM. Deletes will be confirmed on a delta import. Users must be deleted manually from Okta.
- Delete - Users will be deactivated and then automatically deleted. Deletes will only be confirmed on the next full import.
Instructs the management agent to automatically activate the users when they are created in Okta. If this option is not selected, the users are place in a STAGED status.
When the management agent is configured to activate new users, this setting allows you to specify if Okta should send an activation email to new users.
Select the object types that you wish to manage. As API calls are expensive, don't select any object types that you don't need.
Do note, that the group object type is currently read-only.
Select the attributes that you wish to manage. It is important to note that
- The
idattribute is mandatory - Selecting the
availableFactorsandenrolledFactorsattributes will slow down your import process. These attributes each require a separate API call, and therefore can add significantly to the total time an import process will take. Consider the use of these attributes carefully.
Configure your attribute flows, filters and join rules as needed.
When provisioning new users, use any unique value as the DN, such as a GUID. The actual value does not matter. This will be replaced by the objectId during the confirming import.