1 Purpose 

This document outlines the customer requirements for synchronizing a user’s manager email address into the MyCompliance application. As with other OKTA attributes the user’s manager email address can be sync’d using the SCIM protocol. However, sending an email address, rather than the managerId specified in the SCIM 2.0 RFC is not supported by default. It therefore must be configured using a custom attribute within OKTA.

2 Supported Features 

The Okta IDP can be used for the following custom functions: 

• Synchronizing manger email address attribute. 

• A single method must be used. i.e., you cannot sync managerId and managerEmail. 

3 Requirements 

Creation of an additional custom attribute within the MyCompliance application of the OKTA admin console. The custom attribute must be created using the following details for the OKTA request to conform to the MetaCompliance SCIM API schema.

 Data type: string 

Display name: Manager Email 

Variable name: managerEmail 

External name: manager.Email 

External namespace: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User 

Attribute length: Between 1 and 256 

Attribute required: No 

Mutability: READ_WRITE 

Once the attribute has been created a mapping must then be made between the OKTA variable holding the managers email address and the new custom attribute.  

4 Configuration

To create the custom attribute, click on Directory Profile Editor On the MyCompliance App select Profile

On the profile editor window click on Add Attribute On the new attribute window enter the details as listed above and click on Save. Click on the Mappings button.

In the mappings window select the OKTA User to MyCompliance option.

Scroll to the bottom of the page and select your source attribute on the left and map it to the new custom attribute. In the example below, we have used the user. Manager as the source.

You may enter a user into the preview window to ensure you have the mapping correct. If you are happy with the preview, click Save Mappings. You can now assign users in the usual fashion. 

Note: A user, containing a managers email address, can only be assigned if the manager has already been synchronised. If we receive a request to add a new user and the manager email cannot be found in our records, you will receive a message in the user assignment window, that you must first assign the manager and the assignment will have a failed status. Once you have added the manger and successfully sync’d into MyCompliance the failed user should automatically sync on the next run. You should not need to force a sync, although this can be done.