Before starting
If you use an Okta license, Lucca can synchronize your Lucca-administered user data to your Okta directory.
All the steps required to install the connector are described below. This page is mainly intended for your Okta administrator (DSI or IT).
The free Lucca for Okta interface is available via the cog wheel in your Lucca environment. If you do not have the permission, please contact our Help desk team.
Features supported by the application
• Update user attributes
• Import users.
• Import groups.
Help desk
As a Lucca client, you can contact our customer services with any questions you may have, or to report problems, request improvements, or get advice on how to use our products. We are always ready to provide you with the appropriate solution.
Our consultants and technical teams are not authorized to access your Okta environment, its settings and the permissions you have previously defined with your Okta administrator.
So please describe as precisely as possible the type of problem you are experiencing, with screenshots to help us give you the best possible assistance. We also recommend that you include your Okta consultant in your requests, to make it easier for us to identify your problem.
Activate synchronization between Lucca and Okta
Important: the permission "Administer OKTA synchronization" (Lucca permission) must be enabled for the role of the person in charge of the connection.
Step 1: Retrieve Lucca login information for Okta
Go to the cog wheel in your environment > Authentication, SSO and API > Okta Synchronization and start integration by clicking on the button with the same name.
A window will pop-up, inviting you to provide us with your technical administrator's email address. This information will enable us to better identify our contacts if needed, or to use for announcements regarding the integration of Lucca into Okta.
After completing the first 2 steps - which we return to in step 3 - you can retrieve the information you need to copy into the Okta interface.
Step 2: Activating Lucca in Okta
In your Okta application, go to the Applications menu and select "Browse App Catalog" and choose the "Lucca" application:
Once Lucca has been selected and added, go to the Provisioning tab, then to the Integration.
Enter the required information previously collected in the Lucca for Okta interface.
- URL base
- API Token
- Import Groups. This box lets you define whether or not you want to import groups, which we identify in Lucca by department, legal unit, establishment or country.
Once this step is complete, go to the "To Okta" menu and select "Allow SCIM 2.0 Test App (Header Auth) to activate the data source which will be fed to Okta.
Step 3: In Lucca, configure the integration with Okta.
The first step is to select the properties you want to synchronize with Lucca.
Properties are the user data you manage in Poplee Core HR via the HR File.
If you have activated the option in Okta, define the groups you wish to synchronize in the second step.
Congratulations, your synchronization is now active!
Now the interface is dedicated to the administration of your initial settings, and the status of your integration is displayed in real time.
optional: Step 4: authorize the synchronization of future employees.
By default, employees with a contract start date in the future will not be synchronized with Okta.
To implement this synchronization, you need to activate the permission "View future employees" in the api key Okta api Integration.
Managing Lucca to Okta data synchronization
[Lucca/Okta] Properties
The Lucca APIs are API REST.
They allow us to display all the properties associated with each employee (user), such as contract start date, establishment, occupation category, job title and manager.
To integrate with Okta, we have developed a connection between our APIs and Okta's SCIM APIs. Therefore, a Lucca property becomes a user attribute for Okta.
Customize Lucca data to be synchronized with Okta
From the Okta integration interface, you can add or remove a property from all the data you manage in your HR File.
4 properties are mandatory and cannot be modified:
Note: The configurable compound data and multiple occurrences
cannot be synchronized with Okta.
Mapping a Lucca property to an Okta attribute
There are 2 types of attributes:
1. The attribute found in Okta that is displayed at user profile level. This attribute is pushed by Okta to third-party systems.
2. The attribute returned by the API via integration ((/ lucca-okta/api/users) which tells Okta how to read the property value.
The attributes are managed and read by the integration enabled between Lucca and Okta
Creating an Okta attribute
In Okta, from the left menu, select Directory → Profile Editor then Profile
The page that appears shows you the Okta attributes you have enabled to synchronize your users.
Here you will find:
- Native attributes: login, firstName, lastName, etc. found in the SCIM 2.0 standard. These attributes cannot be modified.
-
Custom attributes
Click on Add Attribute. The next page will then show you how to set the custom attributes defined with:
-
a type: string, integer, boolean, etc
-
the displayed name of the attributed human readable name which will be displayed in the user profile
-
a variable, which is the code for the data name, which should be matched with Lucca APIs.
Create the integration with the attribute
In Okta, from the left menu, select Directory → Profile Editor then Apps and Profile for Lucca
This page displays all synchronized and active attributes, both native and custom.
Click on Add Attribute. The page that appears will allow you to set synchronization activation parameters for the attribute you created.
The External namespace field lets you add your attribute (for json) to the Okta schema. In each case, you will find 2 standards in the Okta framework:
-
urn:ietf:params:scim:schemas:core:2.0:User : associated schema for the attributes of the standard (firstName, lastName, etc.)
-
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User : recommended schema by the SCIM standard for custom attributes (dtContractStart, dtContractEnd, etc.)
Here is an example of the json returned by the Lucca.Okta application:
Once the schemas have been validated, fill in the external namespace field with the value: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
That's all there is to it.
Configuring mapping in Okta
The last step is to make the connection between Lucca and Okta profile attributes.
Select Directory → Profile Editor. then Apps and click on Mapping in Lucca integration
You can configure Lucca to Okta and Okta to Lucca mapping.
Notes about Okta to Lucca synchronization
Roles and permissions
By default and for security reasons, the Okta connector on the Lucca instance does not allow Okta to modify user data.
If you want to synchronize Okta to Lucca, you need to change the permission of the Okta API key.
In the role administration, you need to add the permissions needed to edit the user file to the Okta API integration API key.
The following permissions are also required for the Okta -> Lucca integration:
- Application "Lucca" -> "Department Administration"
- Application "Lucca" -> "Edit establishments and legal units"
Limitations
DisplayName attribute
- In the Lucca environment, there is no HR displayName data associated with employees.
- By default, Okta expects a displayName attribute with the path >urn:ietf:params:scim:schemas:core:2.0:User.displayName.
To make your configuration easier, the displayname is enhanced by adding the family name (familyName) to the first name (givenName).
However, if you have configured Okta -> Lucca synchronization on the displayname field, synchronization of this field will have no effect. To change the family name or first name, you need to synchronize the familyName and givenName.
Non-configurable compound data
"Non-configurable compound data" (occupation category, calendar, establishments, departments, roles, etc.) can be synchronized to Okta, but cannot be synchronized in the Okta to Lucca direction.
Similarly, data that cannot be modified in the HR file (e.g. theoretical compensation) cannot be modified by Okta.
Type of data specific to the environment (Extended Data)
The simple or compound data created for the environment cannot currently be synchronized in the direction Okta -> Lucca.
Managing groups
There are four groups available in Lucca.
- Departments
- Establishments
- Countries
- Legal units
Each group (/api/groups) shows all users attached to a group.
Lucca values. Okta APIs are available with:
- "LUCCA_LU" for legal units
- "LUCCA_ETS" for establishments
- "LUCCA_DEPT" for departments
- "LUCCA_COUNTRY" for countries
No groups are active by default. Synchronization of this data is not mandatory.
Import users into Okta
Click on Import then Import Now.
When the import is complete, depending on your configuration, some data may need to be validated by you.
To get an import report: Directory / People
Clicking on a user displays synchronized data details
From Directory/Groups you can also view the group import report, if you have already created one.
Groups are not synchronizable in the direction Okta to Lucca.