Hi there,
There are some inconsistency in Okta documentation related to provisioning flow in Org2Org application.
First of all, let’s establish some terminology based on “Integrate Okta Org2Org with Okta” document:
- Connected org - Org that is connected to a central Okta org. The connected org is the source for user profile data.
Keeping this definition in mind, let’s look at the “Okta Org2Org supported features” document:
Users created in Okta are also created in the connected org.
Hmm… I thought the connected org is the source for user profile data? So is it the opposite?
User password updates made in Okta are pushed to the connected org.
Same as above. So which org is the source?
Updates made to the Okta user profile are pushed to the connected org.
Same as above.
Deactivating a user or disabling application access in Okta removes all user data and the user account in the connected org. When a user is suspended, their data is not removed and they cannot access the application.
Same as above.
Groups and their members can be pushed to the connected org.
Same as above.
Makes the connected org the profile source.
Isn’t this the exact opposite of the features above?
So, my question is, which org is the source for profiles? Is it the central Okta org, or the connecting org? According to the features page, there is a provisioning flow in both directions for profile sourcing, however it violates the point of the Hub and Spoke architecture.
In our particular use case, it is crucially important to have the provisioning flow occurring in the right direction.