Migrating users from Drupal 7 to Okta

Has anyone successfully migrated users from Drupal 7 to Okta? I need to move about 10k users from Drupal 7 to the Okta directory. I have JSON file with the user accounts in it, and am using Node.js to do the processing. Our use case requires that users can continue to use their existing credentials.

After much Googling, Stack-Overflowing, reading Drupal code and the Okta API docs - I’m a bit stuck.

  1. I get the pass field from the Drupal user
  2. I extract the salt and hash from the pass

Here’s how I get the settings, salt and hash from the Drupal pass:

const hashType = pass.substring(0,3)
const rounds = pass.substring(3,4)
const salt = pass.substring(4,12)
const hash = pass.substring(12)

I’m then calling /api/v1/users?activate=true with

profile: { email: mail, login: username },
credentials: { password: { hash: { algorithm: 'SHA-512', salt: salt, saltOrder: 'PREFIX', value: hash }}}

which successfully creates the user, but on attempting sign in, gets rejected.

I’ve tried:

  1. switching the saltOrder to POSTFIX
  2. base64 decoding the hash
  3. base64 decoding then encoding the hash
  4. Every combination of the above

Please help, as I don’t know what else to try, and I can’t find any examples of Drupal user accounts being imported into Okta.

I believe I’m correctly following: Users | Okta Developer

And I’m using information from:




I’d be grateful for any advice you can offer.

are the hashes hexdigests of the passwords? okta only accepts the base64 encoded value of the raw binary data for the hash

I have not worked with Drupal but looking at the link you shared, I am a bit confused with the substring code you mentioned. As per the link, first 4 chars are settings, 5-12 chars are salt and remaining hash. Considering 0 index substring and that the second parameter is index, not length (depending on the library you are using), shouldn’t it be:

const hashType = pass.substring(0,3)
const salt = pass.substring(4,11)
const hash = pass.substring(12)

(Pardon my ignorance if it was indicative code and I took it literally)

Anyways, if you are still having trouble creating user with hash and you will have Drupal for some time after users migrate to Okta, maybe its a good idea to consider Password Import Inline Hook and let Okta do the hashing for you?