Advanced Configuration for Okta UserSync Connector¶
UserSync Okta connector properties¶
Okta Connector Info¶
| Property | Description | Example |
|---|---|---|
OKTA_CONNECTOR | Name of the connector. | OKTA |
OKTA_ENABLED | Enabled status of connector. (true/false) | true |
OKTA_SERVICETYPE | Type of service/connector. | okta |
OKTA_DATASOURCE_NAME | Unique datasource name, used for identifying source of data and configuring priority list. (Optional) | |
OKTA_SERVICE_URL | The Okta endpoint URL | https://myOktaDomain.okta.com |
OKTA_API_TOKEN | API token | A8b2c84d-895a-4fea-82dc-401397b8e50c |
OKTA_SYNC_INTERVAL | Frequency of usersync pulls and audit records in seconds. Default value is 3600, minimum value is 300. | 3600 |
Okta Manage/Ignore List of Users/Groups¶
| Property | Description | Example |
|---|---|---|
OKTA_USER_LIST | List of users to manage from sync results. If this list is defined, all users not on this list will be ignored. | |
OKTA_IGNORE_USER_LIST | List of users to ignore from sync results. | |
OKTA_USER_LIST_STATUS | List of users to manage with status as equal to: STAGED, PROVISIONED,ACTIVE,RECOVERY,PASSWORD_EXPIRED,LOCKED_OUT or DEPROVISIONED. If this list is defined, all users not on this list will be ignored. | ACTIVE,STAGED |
OKTA_USER_LIST_LOGIN | List of users to manage with user login name (can contain _). If this list is defined, all users not on this list will be ignored. | sw;mon,san |
OKTA_USER_LIST_PROFILE_FIRSTNAME | List of users to manage with user first name (can contain ). If this list is defined, all users not on this list will be ignored. | sw;mon,san |
OKTA_USER_LIST_PROFILE_LASTNAME | List of users to manage with user last name (can contain _). If this list is defined, all users not on this list will be ignored. | sw;mon,san |
OKTA_LIST_PROFILE_EMAIL | List of users to manage with user email (can contain ). If this list is defined, all users not on this list will be ignored. | sw;mon,san |
OKTA_LIST_TYPE | List of groups to manage with group type. If this list is defined, all groups not on this list will be ignored. | APP_GROUP,BUILT_IN,OKTA_GROUP |
OKTA_GROUP_LIST | List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored. | |
OKTA_IGNORE_GROUP_LIST | List of groups to ignore from sync results. | |
OKTA_GROUP_LIST_SOURCE_ID | List of groups to manage with group source id. If this list is defined, all groups not on this list will be ignored. | 0oa2v0el0gP90aqjJ0g7,0oa2v0el0gP90aqjJ0g8,0oa2v0el0gP90aqjJ0g0 |
OKTA_GROUP_LIST_PROFILE_NAME | List of groups to manage with group name. If this list is defined, all groups not on this list will be ignored. | group1,testGroup,testGroup2 |
Okta Search¶
| Property | Description | Example |
|---|---|---|
OKTA_SEARCH_USER_GROUPONLY | Boolean to only load users in groups. | false |
OKTA_SEARCH_INCREMENTAL_ENABLED | Boolean to enable incremental search, syncing only changes since last search. | false |
OKTA_ATTRIBUTE_ONLY | Sync only the attributes of users already synced from other services. | false |
Okta User/Group Attributes¶
| Property | Description | Example |
|---|---|---|
OKTA_ATTRIBUTE_USERNAME | Attribute from user entry that would be treated as user name. | login |
OKTA_ATTRIBUTE_FIRSTNAME | Attribute from user entry that would be treated as firstname. | firstName |
OKTA_ATTRIBUTE_LASTNAME | Attribute from user entry that would be treated as lastname. | lastName |
OKTA_ATTRIBUTE_EMAIL | Attribute from user entry that would be treated as email address. | email |
OKTA_ATTRIBUTE_GROUPS | Attribute of user’s group list. | groups |
OKTA_ATTRIBUTE_GROUPNAME | Attribute of a group’s name. | name |
Okta User/Group Attribute Modifications¶
| Property | Description | Example |
|---|---|---|
OKTA_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL | Extract the user’s username from an email address. (e.g. username@domain.com -> username) The default is false. | false |
OKTA_ATTRIBUTE_USERNAME_VALUE_PREFIX | Prefix to prepend to username. The default is blank. | |
OKTA_ATTRIBUTE_USERNAME_VALUE_POSTFIX | Postfix to append to the username. The default is blank. | |
OKTA_ATTRIBUTE_USERNAME_VALUE_TOLOWER | Convert the user’s username to lowercase. The default is false. | false |
OKTA_ATTRIBUTE_USERNAME_VALUE_TOUPPER | Convert the user’s username to uppercase. The default is false. | false |
OKTA_ATTRIBUTE_USERNAME_VALUE_REGEX | Attribute to replace username to matching regex. The default is blank. | |
OKTA_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL | Extract the group’s name from an email address (e.g. groupname@domain.com -> groupname). The default is false. | false |
OKTA_ATTRIBUTE_GROUPNAME_VALUE_PREFIX | Prefix to prepend to the group’s name. The default is blank. | |
OKTA_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX | Postfix to append to the group’s name. The default is blank. | |
OKTA_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER | Convert the group’s name to lowercase. The default is false. | false |
OKTA_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER | Convert the group’s name to uppercase. The default is false. | false |
OKTA_ATTRIBUTE_GROUPNAME_VALUE_REGEX | Attribute to replace group name to matching regex. The default is blank. |
UserSync system properties on Privacera Self-Managed and Data Plane¶
| UserSync property | Description | Property | Default |
|---|---|---|---|
PRIVACERA_USERSYNC_RANGER_URL | Address of Ranger instance. | ranger.url | http://ranger:6080 |
PRIVACERA_USERSYNC_RANGER_USERNAME | Username of Ranger user. | ranger.username | admin |
PRIVACERA_USERSYNC_RANGER_PASSWORD | Password of Ranger user. | ranger.password | admin |
PRIVACERA_USERSYNC_CONTEXT_CLASS | Implementation class used for USContext. Storage of synced Users and Groups. | usersync.context.class | com.privacera.usersync.context.USContextRocksDBOptions: com.privacera.usersync.context.USContextRocksDB com.privacera.usersync.context.USContextMemory |
PRIVACERA_USERSYNC_CONTEXT_DATASOURCE_PRIORITY_LIST | Priority list of configured datasources. Sources nearest the beginning of the list will be used over sources later in the list. | usersync.context.datasource.priority.list | |
PRIVACERA_USERSYNC_DETECT_CACHE_DIFFERENCES_ENABLED | To enable the cache synchronization. While UserSync reads data from an IdP, for performance, the incoming user data is kept in cache and periodically compared to user data already synced to the Privacera portal. From cache, UserSync pushes user data from the IdP that has been reconciled with the Privacera portal to the connected applications. | usersync.detect.DifferencesBetweenCacheAndRangerForUserAndGroup.enabled | true |
PRIVACERA_USERSYNC_DETECT_CACHE_INTERVAL_SECONDS | Frequency of cache synchronization in seconds. | usersync.detect.DifferencesBetweenCacheAndRangerForUserAndGroup.intervalInSeconds | 43200 |
PRIVACERA_USERSYNC_LOADER_BULK_ENABLED | Load users to Portal in batches. | usersync.user.loader.bulk.enabled | true |
PRIVACERA_USERSYNC_LOADER_BULK_BATCHSIZE | Size of batches to load Users into Portal. | usersync.user.loader.bulk.batchsize | 100 |
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BATCH_ENABLE | Load group memberships to Portal in batches. | usersync.user.loader.update.group.memberships.batch.enable | false |
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BATCHSIZE | Size of batches to load Group memberships into Portal. | usersync.user.loader.update.group.memberships.batchsize | 1000 |
PRIVACERA_USERSYNC_STARTUP_PERFORM_OPERATIONS_ENABLED | Scan for and perform any pending operations in cache (User/Group objects) at service start-up. | usersync.startup.performoperations.enabled | true |
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_MIN | Minimum threads for processing user/group updates (<=0 will use a cached thread pool). | usersync.user.loader.process.thread.min | 1 |
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_MAX | Maximum threads for processing user/group updates (if min is <= 0, this has no effect). | usersync.user.loader.process.thread.max | 1 |
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_KEEPALIVE_SECONDS | Keep alive time for threads processing user/group updates. | usersync.user.loader.process.thread.keepalive.seconds | 30 |
PRIVACERA_USERSYNC_SECRETS_FILE | JCEKS KeyStore File Paths | privacera.usersync.keystore.files | |
PRIVACERA_USERSYNC_SECRETS_KEYSTORE_PASSWORDS | JCEKS KeyStore Files Passwords | privacera.usersync.keystore.passwords | |
PRIVACERA_USERSYNC_SECRETS_KEYPREFIX | Secure keys alias prefix | privacera.usersync.secure.key.prefix | jceks |
PRIVACERA_USERSYNC_AUTH_SSL_TRUSTSTORE_FILE | SSL Truststore path | ssl.truststore | |
PRIVACERA_USERSYNC_AUTH_SSL_TRUSTSTORE_PASSWORD | SSL Truststore password | ssl.truststore.password | |
PRIVACERA_USERSYNC_RANGER_INIT_RETRY_INTERVAL_IN_MILLIS | Delay in milliseconds between retry attempts for initializing Ranger user loader. | usersync.user.loader.ranger.init.retryinterval.ms | 30000 |
PRIVACERA_USERSYNC_RANGER_INIT_RETRY_LIMIT | Maximum retry attempts for initializing Ranger user loader. (<0 indicates unlimited retries) | usersync.user.loader.ranger.init.retrylimit | -1 |
PRIVACERA_USERSYNC_RANGER_REQUEST_RETRY_INTERVAL_IN_MILLIS | Delay in milliseconds between retry attempts for requests to Ranger | ranger.request.retryinterval.ms | 10000 |
PRIVACERA_USERSYNC_RANGER_REQUEST_RETRY_LIMIT | Maximum retry attempts for requests to Ranger | ranger.request.retrylimit | 3 |
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BULK_ENABLED | Enable bulk update of group memberships to Ranger | usersync.user.loader.update.group.memberships.bulk.enabled | true |
PRIVACERA_USERSYNC_CONTEXT_OPEN_MAX_RETRY | Maximum retry attempts to open RocksDB cache | usersync.context.rocksdb.open.max.retry | 5 |
PRIVACERA_USERSYNC_CONTEXT_OPEN_DESTROY_ON_FAIL | Enable automatic destroy of RocksDB cache if unable to open (corrupted). Cache will be rebuilt. | usersync.context.rocksdb.open.destroyonfail | true |
PRIVACERA_USERSYNC_API_SECURITY_USER_NAME | If configured, Usersync REST APIs are available with basic auth. | usersync.api.security.user.name | |
PRIVACERA_USERSYNC_API_SECURITY_USER_PASSWORD | If configured, Usersync REST APIs are available with basic auth. | usersync.api.security.user.password | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_ROLE_PRIORITY_LIST | Priority list of roles if a user has multiple roles mapped. Highest priority role will be applied to the user. | usersync.user.loader.assign.role.priority.list | ROLE_SYS_ADMIN,ROLE_ADMIN_AUDITOR |
PRIVACERA_USERSYNC_LOADER_ASSIGN_SYS_ADMIN_ROLE_GROUP_LIST | Provide a list of group names, whose members will be assigned the admin role. | usersync.user.loader.assign.role.ROLE_SYS_ADMIN.group.list | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_SYS_ADMIN_ROLE_USER_LIST | Provide a list of user names, who will be assigned the admin role. | usersync.user.loader.assign.role.ROLE_SYS_ADMIN.user.list | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_AUDITOR_ROLE_GROUP_LIST | Provide a list of group names, whose members will be assigned the auditor role. | usersync.user.loader.assign.role.ROLE_ADMIN_AUDITOR.group.list | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_AUDITOR_ROLE_USER_LIST | Provide a list of user names, who will be assigned the auditor role. | usersync.user.loader.assign.role.ROLE_ADMIN_AUDITOR.user.list |
Okta fields for UserSync on PrivaceraCloud¶
These are descriptions of fields for configuring PrivaceraCloud UserSync for Okta
Add Connector¶
| Field name | Description |
|---|---|
| Enable Connector | Enable or disable this connector. |
| Service Type | Okta |
| Name | Identifying name of this connector. |
Configure Connector¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Endpoint URL | Okta endpoint URL | Basic |
| Bearer Token | API token for auth to Okta API | |
| Group Only | Sync only users that are members of groups. Allowable values: true or false | Advanced |
| Attribute Only | Sync only the attributes of users already synced from other services. Allowable values: true or false | Advanced |
| Incremental | Enable incremental search. Syncing only changes since last search. Allowable values: true or false | Advanced |
| Search Deleted User | Enable detection of deleted users. Allowable values: true or false | Advanced |
| Search Deleted Group | Enable detection of deleted groups. Allowable values: true or false | Advanced |
| Search Deleted Cycles | Number of cycles to search for deleted users and groups. Default value is 6. | Advanced |
| Sync Interval | Interval in minutes to sync users. Default value is 60. | Advanced |
| Add Custom Properties | Custom properties to pass to the connector. | Advanced |
Configure Filters¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Include Users | List of users to include from sync results. If this list is defined, all users not on this list are ignored. | Basic |
| Exclude Users | List of users to ignore from sync results. | Basic |
| Filter Users by Status | List of users to manage with status as equal to STAGED, PROVISIONED,ACTIVE,RECOVERY,PASSWORD_EXPIRED,LOCKED_OUT,DEPROVISIONED . If this list is defined, all users not on this list are ignored. Example: eq;ACTIVE,STAGED | Basic |
| Filter Users by Login | List of users to manage with user login name. Format filterOperator;login,login2,login3 Supported values for filterOperator are 'sw' or 'eq'. If this list is defined, all users not on this list are ignored. Example: sw;mon,san | Basic |
| Filter Users by First Name | List of users to manage with user first name. Format filterOperator;firstName,firstName2,firstName3 Supported values for filterOperator are 'sw' or 'eq'. If this list is defined, all users not on this list are ignored. Example: sw;mon,san | Basic |
| Filter Users by Last Name | List of users to manage with user last name. Format filterOperator;lastName,lastName2,lastName3 Supported values for filterOperator are 'sw' or 'eq'. If this list is defined, all users not on this list are ignored. Example: sw;mon,san | Basic |
| Filter Users by Email | List of users to manage with user email. Format filterOperator;email,email2,email3 Supported values for filterOperator are 'sw' or 'eq'. If this list is defined, all users not on this list are ignored. Example: sw;mon,san | Basic |
| Include Groups | List of groups to include from sync results. If this list is defined, all groups not on this list are ignored. | Basic |
| Exclude Groups | List of groups to exclude from sync results. | Basic |
| Filter Groups by Type | List of groups to manage with group type. Format filterOperator;groupType,groupType2,groupType3 If this list is defined, all groups not on this list are ignored. Sample: eq;APP_GROUP,BUILT_IN,Okta_GROUP | Basic |
| Filter Groups by Name | List of groups to manage with group name. Format filterOperator;groupName,groupName2,groupName3 Supported values for filterOperator are 'sw' or 'eq'. If this list is defined, all groups not on this list are ignored. Example: sw;mon,san | Basic |
| Filter Groups by sAMAccountName | List of groups to manage with group sAMAccountName. Format filterOperator;sAMAccountName,sAMAccountName2,sAMAccountName3 Supported values for filterOperator are 'sw' or 'eq'. If this list is defined, all groups not on this list are ignored. Example: sw;mon,san | Basic |
| Filter Groups by Source ID | List of groups to manage with group source ID. Format filterOperator;sourceId,sourceId2,sourceId3 Supported values for filterOperator are 'sw' or 'eq'. If this list is defined, all groups not on this list are ignored. eq;0oa2v0el0gP90aqjJ0g7,0oa2v0el0gP90aqjJ0g8,0oa2v0el0gP90aqjJ0g0 | Basic |
Base Attributes¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Username | Attribute of a user’s username. Default: login. | Basic |
| First Name | Attribute of a user’s first name. Default: firstName. | Basic |
| Last Name | Attribute of a user’s last name. Default: lastName. | Basic |
| Attribute of a user’s email. Default: email. | Basic | |
| Group Name | Attribute of a group’s name. Default: name. | Basic |
| Extract From Email | Extract the attribute from an email address. Example: username@domain.com extracts username. Default: false. | Advanced |
| Prefix | Prefix to prepend to the attribute value. No default. | Advanced |
| Postfix | Postfix to append to the attribute value. No default. | Advanced |
| To Lowercase | Convert the attribute value to lowercase. Default: false. | Advanced |
| To Uppercase | Convert the attribute value to uppercase. Default: false. | Advanced |
| Regex | Apply regex to attribute value. No default. | Advanced |
Custom User Attributes¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Attribute Name | Attribute key to sync with user. | Basic |
Custom Group Attributes¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Attribute Name | Attribute key to sync with group. | Basic |