How/When does Okta(OIE) sync a user's profile from an external directory source?

ABD · May 12, 2023, 10:42am

We have multiple external LDAP and AD directories through which user’s are sources into Okta. Due to complexities in architecture and requirements, we are using a self hosted login service configured as an identity provider.

In certain cases, we wish to redirect users away from the normal login flow depending on a particular user profile attribute which again is synced from the value set in the user’s profile in source (ie. whatever this attribute is set in LDAP or AD user profile)

Now, this redirect action will allow users ability to change their profile values in an external system and not via Okta (as login is configured to fail due to this condition) and user input will directly update their profile inhe profile source (LDAP/AD). This can be something like some missing profile information etc. Due to reasons I cannot share here, we CANNOT enable the OOTB self registration feature/develop something similar and update the user’s Okta profile and sync it with the profile source.

After the user updates their profile through the external system, the next attempt to login should not be denied due to any deficiencies in profile info/attributes. However this is not happening as the real time sync is failing to kick even after multiple user related okta api calls like Get user using login or their Okta ID. These calls were enough to kick in the real time snyc in Okta Classic Engine but are not triggering the sync now that our Okta Tenant is upgraded to the Okta Identiy Engine. Some actions that will trigger the sync are the admin accessing/refreshing the user’s profile in Okta admin dashboard (which calls the - {baseAdminDashboardUri}/admin/user/profile/view/{oktaUserId} ) and the end user themselves logging into the okta dashboard.
Both of these actions are not feasible in our self hosted login service.

So the actual question after this long wall of text explaining the backgroud is - Is there any particular API call that can be made to trigger real time sync of user’s profile, specifically for the Okta Identity Engine? How can this behaviour be emulated using Okta API calls?

Thanks for spending the time to read this very long question, any help or leads are appreciated

daniel.sanders · May 12, 2023, 9:59pm

Hello ABD,

You mentioned using Real Time Provisioning, and that it doesn’t seem to work since you upgraded. I assume this is referring to JIT, is that correct? If so, have you checked to make sure it remained on after your move to Identity Engine? Add and update users with Active Directory Just-In-Time provisioning | Okta

ABD · May 13, 2023, 8:32am

Hi Daniel,

I have checked our directory integrations an JIT is enabled with the checkbox to ‘Create and update users on login’ checked. However we still see this 10-15 min delay before the updated profile of the user in directory reflecting in the user’s okta profile. (Unless of course one of the manual actions that I mentioned earlier are performed)

bstaley · November 7, 2023, 3:06pm

Hello, we have the same issue. Was there a solution or any documentation you can point us to?

andrea · November 7, 2023, 4:38pm

Do you still not seeing it syncing when the user actually logs into Okta? Or do you only see the sync happen when an import occurs?

bstaley · November 7, 2023, 4:49pm

It does sync when the user logs in but take the following scenario.

A user creates an account, this account is created in LDAP
User forgets their password and tries to go through the forgot password flow

Since this user has not been sync’d yet and one of the mentioned actions above was not performed (log in, because of forgetting password and admin console, for obvious reasons). This user must then wait until the sync runs to reset their password.