Often companies decide to integrate Okta with other systems, including HR platforms, so they can manage all their employees in one place and automatically assign permissions to the applications they need access to. Especially at a large scale, traditional onboarding processes are disconnected and inefficient leaving companies exposed if not careful.

If your organization needs to streamline the employee onboarding process without extra steps, here’s how to set up relevant integration with Okta.

‍The gaps of traditional onboarding processes

As a general rule, HR departments are almost always responsible for the first step to onboard an employee. They create that employee in the HR system, set compliance and regulatory attributes related to their identity, salary, income tax brackets, and the like. However, for that employee to actually gain access to everything they need to do their job, they require permissions to many different applications.

Traditionally, this meant that a heavy burden was put onto administrators who had to create and manage several accounts in disparate systems, with siloed permissions only known to the systems and managed by potentially different groups – namely, the network team, the HR team, and potentially even your own team if they managed subscriptions to certain applications (think Cloud subscriptions, not centrally governed).

What’s worse, this creates a deep and hidden vulnerability across the board because if that employee has to be deactivated, there is no one kill switch to terminate their access. In fact, it is common for administrators who manage employee access to find active accounts for people who have left months, if not years, ago.

This can leave businesses open to malicious actors and disgruntled employees with the ability to access a company’s internal systems and potentially disrupt business operations, take down critical systems, or steal and surface sensitive data resulting in a dangerous situation for all involved.

‍

Recommended approach: Just-in-Time Provisioning with Okta

Just-In-Time Provisioning is a concept that helps you automate the creation of users in connected platforms to the source of those users, in this case, employees.

To solve this issue, Okta offers several out-of-the-box connectors including one for an HR system called BambooHR and another for Google Workspace–we’ll use both as integration examples in this article.

BambooHR is an HR SaaS platform that enables companies to manage employee information, track hours worked, manage benefit enrollment, and run payroll from a single platform. GSuite is the current market leader in Productivity and Collaboration and is used throughout the world.

Let’s review how to integrate Okta with external systems and configure Just-in-Time Provisioning, so your employees can be fully onboarded in only one step.

‍

Okta integration with BambooHR and GSuite apps

To start the Okta integration, you first need to add the BambooHR connector offered by Okta to your available applications:
‍

In our use case, the flow starts when a new Employee is added to the BambooHR platform.

We are using Email as the user’s unique identifier in Okta for traditional authentication purposes so always ensure to populate a valid and unique Work Email in BambooHR.

The Work Email has to follow a predefined naming convention with your company domain (companydomain.com) as this will be used to automatically provision a new GSuite account (and email) for the employee:
‍

It is critical that you also populate a Home Email in BambooHR because Okta will use this email to send an activation email to the employee for verification purposes. No account activation happens in Okta without this verification step being completed.

In short, the work email becomes Okta’s username plus the GSuite email; and the home email will be used by Okta to send the activation email for your new Okta account.

Once the Okta import runs which is scheduled at a set time interval, the employee automatically receives an activation email from Okta to their home email address:
‍

After clicking on the activation link in the email, a page is presented where they can set up their password and MFA.

At this point, the user has been created in the Okta system and granted authentication permissions to BambooHR and Google Workspace.

This all happens via a Single Sign-On process where the employee can use a single account – the Okta account they set up as part of the activation process – to access both the HR system and any other applications they need access to (such as the GSuite apps) with the right level of permissions:
‍

The new hire would also have their email set up in GSuite automatically but keep in mind that they will use their newly created Okta account to log into GSuite:
‍

We used the two applications mentioned here for demonstration purposes, but you can automatically grant access to any other systems you may need, depending on your requirements.
‍

It is good to point out that you can synchronize the groups on the BambooHR with the Okta side and use these groups to determine which applications the onboarded employees need access to. You can also have separate groups and map to them but that would incur an additional layer of management where you need to manage groups in two different systems.

Testing your integration

To test this integration, we recommend that you start small and create a few test employee accounts in BambooHR with the Okta import process set to Manual so you can run on demand or set to a predetermined schedule that runs every few hours or so.

Once you have tested all your use case scenarios (different types of users, with different access, creations, updates, and deactivations) and are satisfied with the results, then you can move to a full-on production mode by setting the import scheduling to your desired time interval to support your regular business operations.



An Okta integration with an HR system like the one described here can make your onboarding and offboarding operations much more effective and less time-consuming. More importantly, it provides you with a kill switch, so you can terminate an employee when necessary without leaving any gaps exposed for exploitation.