Most engineers think…
Most people treat provisioning as 'just turning on a toggle in Okta'. In practice, you need to understand the SCIM resource model, the difference between outbound and inbound sync directions, attribute mapping precedence, and why Group Push can silently overwrite entitlements if misconfigured.
Okta provisioning is a bidirectional pipeline built on SCIM 2.0. The OIN gives you pre-built connectors; attribute mappings decide what flows; and Group Push keeps entitlements consistent. Understanding each layer is what separates a clean, audit-ready directory from one full of ghost accounts.
① SCIM 2.0 and the Okta Integration Network
SCIM 2.0 (System for Cross-domain Identity Management) is the open REST standard that defines how identity providers push and receive user and group objects. Okta implements SCIM 2.0 as its core provisioning protocol: when Okta provisions a user to an app, it makes a SCIM POST /Users call; when it updates a user it sends a PATCH; when it deactivates it sends a PATCH setting active=false. No proprietary format, no custom scripts.
The Okta Integration Network (OIN) is the catalog of pre-built integrations. For provisioning, an OIN-listed connector already implements the required SCIM endpoints on the app side and has been tested by Okta. Enabling provisioning for an OIN app is a matter of entering the SCIM base URL, an auth token, and toggling the capabilities you need — Create Users, Update User Attributes, Deactivate Users, Group Push. The OIN removes weeks of custom connector work for the most common SaaS targets.
Which protocol does Okta use for provisioning user accounts to connected apps?
② Outbound provisioning — pushing from Okta to apps
Outbound provisioning flows from Okta (the IdP/authoritative source) into a target application. The Admin Console surfaces this as the To App tab under the app's Provisioning settings. Four capabilities can be toggled independently: Create Users (create the account in the app when a user is assigned), Update User Attributes (sync profile changes), Deactivate Users (disable the account when unassigned or deactivated in Okta), and Sync Password (for apps that support it).
Assignment is the trigger: a user or group is assigned to the app (directly or via a group rule), and provisioning fires. The Okta profile fields that flow to the app are controlled by the attribute mappings — each mapping names the Okta field, the app field and the direction/priority. You can use expressions (Okta Expression Language) to transform values, e.g. concatenating first and last name for a displayName field.
Common outbound pitfalls
Watch for conflicting mappings (two rules writing the same app field), deactivation not enabled (ghost accounts pile up), and sync delays on large directories — Okta queues provisioning tasks, so a bulk import can take time to flush.
Open REST standard for identity provisioning. Okta uses SCIM POST/PATCH/PUT to create, update and deactivate users and groups across connected apps.
Okta Integration Network — a catalog of thousands of pre-built app integrations with tested SCIM connectors. Enable provisioning in minutes instead of writing custom code.
Outbound sync that keeps Okta group memberships mirrored in the target app. Membership changes in Okta propagate within minutes. Standard group name/description only — no custom attributes.
Per-field rules in the Okta Profile Editor that control which Okta attributes flow to/from an app, the direction, and optional Expression Language transforms.
In an interview, list all four To App provisioning capabilities: Create Users, Update User Attributes, Deactivate Users, and Sync Password. Knowing that each is a separate toggle — and that Deactivate is the one most often forgotten — demonstrates production-level awareness, not just checkbox knowledge.
▶ Watch a new hire get provisioned end-to-end
How a single Okta assignment turns into a live account in a target app. Press Play for the happy path, then Break it to see the most common failure.
What triggers outbound provisioning in Okta for a specific user?
③ Inbound provisioning and attribute mappings
Inbound provisioning is the reverse: an external system (another IdP, an HR platform, or a custom app) pushes user records into Okta. Okta exposes its own SCIM 2.0 API so authoritative sources like Workday, BambooHR or a custom HRMS can create, update and deactivate Okta user accounts directly — making the HR system the master record and Okta the downstream consumer.
The From App tab in the Provisioning settings controls inbound capabilities: Import New Users and Profile Updates (pull records on a schedule or on demand), Import Groups (mirror app-side groups into Okta groups), and the Okta Profile Editor decides whether imported attributes can overwrite the Okta master profile or only fill in gaps (priority-based mapping). Inbound sync typically runs on a schedule — every few hours — or can be triggered manually from the Import tab.
Attribute mapping mechanics
Every provisioning integration has an attribute mapping table in the Okta Profile Editor. Each row maps an Okta Universal Directory attribute to the app attribute, specifies direction (To App / From App / Both / None), and can apply an Okta Expression Language transform. The mapping priority for multi-source environments determines which source wins when two systems try to write the same Okta attribute.
Provisioning is bidirectional. Outbound (To App) pushes from Okta to target apps. Inbound (From App) imports authoritative records from HR systems or external IdPs into Okta. Confusing direction in an exam or interview answer is a common error — always state 'which way the data is flowing and who is the master source'.
An HR system is the authoritative source for all employee records. Which Okta provisioning direction should you configure?
④ Full lifecycle & Group Push
The Okta provisioning lifecycle follows the CRUD model with a twist on Delete: Create (user assigned to app → account created), Read/Import (import or sync pulls current state), Update (profile or group change triggers a SCIM PATCH), and Deactivate (unassign or deactivate in Okta → active=false in the app — Okta deliberately deactivates rather than deletes to preserve audit records in the target). A hard delete only happens if the app integration is configured to support it and the admin explicitly enables it.
Group Push is a dedicated outbound capability that syncs Okta groups — and their membership — to groups in the target app. Each pushed group maps to an app-side group (the mapping can be by name or by explicit rule). When a user joins or leaves the Okta group, the push syncs the membership change within minutes. Group Push does not support custom group attributes in Okta — only standard group name and description flow.
Lifecycle in an exam scenario
The key interview line: Okta deactivates, not deletes. A leaver whose Okta account is deactivated has their app accounts set to active=false via SCIM — access is cut but the account and audit trail remain. Deletion requires an explicit extra step and is usually governed by a retention policy, not the provisioning engine.
Priya at a Pune-based fintech faces this
After enabling provisioning to their cloud CRM, former employees still appear as active users in the CRM weeks after their Okta accounts were deactivated.
The 'Deactivate Users' toggle was never enabled in the CRM app's Provisioning > To App settings.
Check Admin Console > Applications > CRM app > Provisioning > To App — 'Deactivate Users' is OFF. Ghost accounts exist for every leaver since provisioning was first enabled.
Admin Console ▸ Applications ▸ [App] ▸ Provisioning ▸ To AppEnable 'Deactivate Users', save, then use the Import/Force Sync option to reconcile existing accounts. For each leaver already in Okta as Deactivated, trigger a manual provisioning push to deactivate them in the CRM.
Re-check the CRM — all former employees should now show as inactive/disabled. Run a Provisioning report in Okta to confirm deactivation events fired successfully.
Okta records every SCIM call in System Log (event type: app.user.provision.*). When provisioning seems broken, read the System Log entry for the specific user and app — it shows whether the SCIM call succeeded, was rejected by the app, or was never sent. Never troubleshoot provisioning by looking only at the app side.
A leaver's Okta account is deactivated. What happens to their accounts in provisioned apps by default?
🤖 Ask the AI Tutor
Tap any question — instant, scoped to this lesson. No login, no waiting.
Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.
📝 Wrap-up assessment — six more
You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.
🧠 In your own words
Type one line: what is the difference between outbound and inbound Okta provisioning, and which one uses the HR system as master? Then compare with the expert version.
🗣 Teach a friend
Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.
📖 Glossary
- SCIM 2.0
- System for Cross-domain Identity Management — the open REST standard Okta uses to automate Create, Update and Deactivate operations across connected apps.
- OIN (Okta Integration Network)
- Okta's catalog of thousands of pre-built app integrations with tested SCIM connectors, enabling provisioning without custom code for supported apps.
- Outbound provisioning
- Provisioning direction where Okta is the master — user and group changes in Okta flow to the target application via SCIM.
- Inbound provisioning
- Provisioning direction where an external system (e.g. an HR platform) is the master — it pushes records into Okta, which becomes the downstream consumer.
- Group Push
- An Okta outbound capability that mirrors Okta group memberships to groups in a target app, keeping role entitlements in sync automatically.
- Attribute mapping
- A per-field rule in the Okta Profile Editor controlling which Okta attribute maps to which app attribute, in which direction, and with optional Expression Language transforms.
- Deactivate Users
- A To App provisioning capability that sends SCIM PATCH active=false when a user is deactivated in Okta, cutting app access while preserving the account for audit.
- Okta Expression Language
- A transform syntax used in attribute mappings to manipulate values (e.g. concatenate, format, conditionally set) before they are sent to or stored from the app.
📚 Sources
- Okta Developer — Understanding SCIM and Okta provisioning concepts. developer.okta.com/docs/concepts/scim/
- Okta Help — Add SCIM provisioning to app integrations (To App and From App settings). help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_scim.htm
- Okta Developer — Build a SCIM provisioning integration — overview and OIN submission. developer.okta.com/docs/guides/scim-provisioning-integration-overview/main/
- Okta Help — SCIM app integrations — capabilities, Group Push and attribute mappings. help.okta.com/en-us/content/topics/apps/apps-about-scim.htm
- Okta Developer — Okta and SCIM Version 2.0 — endpoints and resource model. developer.okta.com/docs/api/openapi/okta-scim/guides/scim-20
- Okta Developer — Okta Classic Engine & Identity Engine API release notes 2026. developer.okta.com/docs/release-notes/2026/
What's next?
Provisioned? Next, go deep on Okta Workflows and Lifecycle Management hooks that trigger custom logic on user events — suspend, reactivate and custom on/off-boarding automations.