Adding attributes to the synchronization
Troubleshooting and Frequently Asked Questions
About the integration
Once set up, our integration with Okta allows you to automate the user management and/or to use Single Sign-On in Leapsome:
If you choose to activate user provisioning with Okta, you can use the following features:
- Pushing New Users: Creating a new user in Okta and assigning them to the Leapsome application will create a new user in Leapsome.
- Pushing User Profile Updates: Updates to a user in Okta will be pushed to Leapsome.
- Deactivating Users: Deactivating the user or disabling the user's access to Leapsome within Okta will deactivate the user in Leapsome.
- Importing New Users: Users created in Leapsome can be pulled into Okta and turned into new AppUser objects for matching against existing Okta users.
- Pushing Groups: Groups created in Okta can be pushed to Leapsome. Attributes pushed include name and group members.
- Pulling Groups: Groups created in Leapsome can be pulled into Okta for reference within Okta.
The sync frequency depends on the source system.
Setting up the integration
Before you get started
- Add the Leapsome App from the Okta App Catalog and make sure you have configured the General Settings for it. Confirm your changes by clicking 'Done'
- Generate an Access Token within Leapsome
- Log in as an Admin and navigate to 'Settings' > 'Integrations' > 'HRIS Integrations'
- Select the tab 'SCIM (Azure AD, Okta, OneLogin)'
- Click 'Update & Synchronize'
- Copy the SCIM Authentication Token
Activating the integration in Okta
- Within Okta, navigate to 'Applications' and click on the Leapsome App.
- On the 'Provisioning' Tab, click on the button 'Configure API Integration'
- Check the 'Enable API integration' box
- Within the 'API Token' textbox, enter the token you generated in Leapome earlier
- By checking the box next to 'Import Groups', you have the option to pull Teams that are already in your Leapsome Account to your Okta account. We recommend leaving this box unchecked, as Okta should be the source of truth for your Groups.
- Click 'Test API Credentials', to check if your Token is working properly
- Once this test was successful, save your settings by clicking 'Save'
Configuring the Provisioning in Okta
1. Configure 'To App' settings
On the 'To App' tab, enable the following options, by clicking on 'Edit'
- Create Users (default username should be set to Email - you can edit this by clicking on 'default username')
- Update User Attributes
- Deactivate users
In the Leapsome attribute mappings, choose the following settings
Please note, that you don't necessarily need to create a mapping to populate Leapsome's 'Teams' attribute with data from your Okta Divisions, Departments, Teams, or similar. If these teams are also set up as 'Groups' in Okta, you can simply push the Groups to Leapsome, to create and assign corresponding teams. Learn more about pushing Groups here.
2. Configure 'To Okta' settings
On the 'To Okta' tab, choose the following settings
- Schedule import: 'Never'
- Okta username format: 'Email Address'
3. Assign users to the Leapsome App
You can now assign people to the app and finish the setup. To do that, just navigate to the 'Assignments' Tab of the Leapsome App, and add People or Groups as you prefer.
For the initial user provisioning, 2 forced syncs are recommended: the first sync will create the users and the second sync will update the reporting lines.
Adding attributes to the synchronization
You can also add further attributes to the synchronization between Okta and Leapsome.
1. Add additional attributes to the 'Leapsome User Profile' in Okta
If you wish to sync additional attributes, please navigate to the 'Provisioning' > 'To App' and click 'Go to Profile Editor', followed by 'Add attribute'. Within this menu, you will now first create and define the target attributes that Okta should send information from your Directory to.
You can add a number of default Leapsome attributes and custom attributes (see below). Please note their exact external names and the external namespace (below) and choose other properties as you prefer to see them in Okta:
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
- Location:
- external name: location
- required format: string
- Start date
- external name: startDate
- required format: string, YYYY-MM-DD
- End date
- external name: startDate
- required format: string, YYYY-MM-DD
- Birthday
- external name: birthday
- required format: string, YYYY-MM-DD
- Level
- external name: level
- required format: string
- Additional Managers
- external name: additionalManagers
- required format: string, comma-separated list of email addresses
- Any custom attribute
- external name: Custom Attribute ID from Leapsome, e.g. 62fdf81aad7b3e32f4040f2e
You can also send data from Okta to custom Leapsome attributes. If you want data from Okta to appear as a custom attribute in Leapsome, please first create the corresponding attribute in Leapsome by following these instructions. Please copy the ID of your custom Attribute, as you will need it for the setup.
2. Define a mapping for these new attributes
Once you have created your attributes, please click on 'Mappings' within the 'Profile Editor', go to 'Okta User to Leapsome' and select the properties in Okta that should be mapped to your newly created attributes.
Please note that additional attributes will only be synced on the first update (not creation) run, so you'd need to enforce two syncs to make these attributes show in Leapsome.
Troubleshooting and Frequently Asked Questions
Cost center and department as 'teams' in Leapsome
The Leapsome attribute 'teams' offers the broadest set of functionalities, e.g. when compared to a custom attribute (e.g. advanced data segmentation, defining scopes for surveys, reviews, learning paths or goals). If your organization uses the 'cost center' or 'department' attributes, we will therefore automatically create a new Leapsome team for each department or cost center and will automatically add the corresponding users to it.
The manager is not syncing
Make sure that the manager exists within Leapsome before provisioning. Leapsome will ignore any manager assignments that include managers not present in Leapsome.
Okta sends the manager information present in the managerId field for a given user. The information in the field can be:
- an email address for the manager
- a Leapsome ID for the user
- Okta's ID for the user
Make sure this field is populated.
For the initial user provisioning, two forced syncs are recommended: the first sync will create the users and the second sync will update the reporting lines.
Can I change the userName?
Leapsome depends on the uniqueness of a user’s email address. Therefore, provisioning will fail if a user’s userName is updated but their email address is not.
Updates or de-provisioning are not working for some users
This issue may occur when a user was added to Leapsome manually or prior to SCIM being enabled. Please see the 'Users added to Leapsome manually?' below.
I receive an 'Email address already in use?' error when creating a user
This error may occur when a user was added to Leapsome manually or prior to SCIM being enabled. Please see the FAQ 'I have added user manually to Leapsome before setting up the integration. How can I ensure that Okta can recognize them?'
I have added user manually to Leapsome before setting up the integration. How can I ensure that Okta can recognize them?
Users added to Leapsome manually or before SCIM was enabled for the Leapsome account may not be tracked by Okta. To make Okta aware of these users' membership in Leapsome, perform an 'Import' within Okta. Under the Leapsome app in Okta, find the 'Import' tab, and click 'Import Now'.
A list of Leapsome users and possible associations with Okta users will be populated below. Click 'Confirm Assignments' and these users will now be tracked, updated, and de-provisioned by Okta. Please make sure all of the users you would like to import from Leapsome are active as inactive users will not be imported by Okta.
Using Okta Groups to create and Update 'Teams' in Leapsome
We suggest to create groups in Okta first and then push those groups to Leapsome via the 'Push Groups' button in Okta.
If you have groups already in Leapsome and want to associate those groups with groups in Okta, take the following steps:
- Create a group with the same name in Okta. For example, if a 'Strategy' group exists in Leapsome, create a 'Strategy' group in Okta.
- Add members to the group in Okta.
- Push the group to Leapsome (only the name of the group and its members will be pushed).
If a group in Okta has the same name as an existing team in Leapsome, pushing the group from Okta to Leapsome will not create a new group. Instead, the group from Okta will overwrite the membership of the group in Leapsome.
Comments
0 comments
Please sign in to leave a comment.