While the Okta and Salesforce documentation is comprehensive, while setting up and testing the integration, I found complications relating to missing attributes and problems with use of multiple groups for Salesforce Permissionsets and Profiles.
Missing Attributes
By default the following attributes are not mapped to the Okta Integration Network Salesforce app, which must be used if using Okta for Salesforce user provisioning:
* Email Encoding (EmailEncodingKey)
* SAML Federation ID (FederationIdentifier)
* Locale (LocaleSidKey)
* Time Zone (TimeZoneSidKey)
All of these are substantial for many Salesforce setups, so to add them, navigate from the Okta Admin Dashboard through Directory > Profile Editor. Search for the Salesforce App and select it, to bring up the Profile Editor. Select “Add Attribute”.
Select the missing attributes then select Save.
Navigate through the Okta Admin Dashboard to Applications then Application and select the Salesforce app. Select Provisioning and scroll down and the attributes will be available to assign values to:
Multiple Group Membership
Using Okta for Salesforce provisioning, the default settings cause a problem when more than one Salesforce PermissionSets, Profiles and PublicGroups are being used. This is documented on Okta’s KB: User Assigned to the Salesforce App through Multiple Groups only Inherit the Permission Sets from One Group
The default behaviour will cause only the first group (in the Okta provisioning order) to be transmitted to Salesforce, however this is insufficient for most Salesforce configurations which use more than one group to logically separate users into permission sets and profiles, and users may well be in more than one group.
Navigate from the Okta Admin Dashboard to Directory > Profile Editor. Search for the Salesforce app and select it.
The profile editor will appear:
Scroll down and select the pencil next to “PermissionSets”:
Change “Use Group Priority” to “Combine values across groups” and select [Save Attribute]
Repeat for other attributes that are managed through group membership, where it is possible for a user to be a member of multiple groups (e.g. “Public Groups”)