Okta: Configuring Provisioning for Highfive



  • Allow Okta users to create Highfive accounts and log in via Okta Sign On
  • Give Okta administrators the ability to provision and manage Highfive users:
    • Create new Highfive user accounts through Okta
    • Disable Highfive user accounts through Okta
    • Update Highfive user names through Okta


  • Be logged in as a Highfive Admin
  • Be logged in as an Okta Super or Org Admin
  • Use Okta's Classic UI
    • If you are using a different view (ex. Developer Console), follow the steps outlined under the Organized Navigation section here to switch to the Classic UI.

Configuration Instructions


  1. Add the Highfive application
  2. General Settings
  3. Sign On
  4. Provisioning

Add the Highfive application

If you already have the Highfive application set up in Okta from a previous Okta Sign On configuration, you can skip this section and go directly to Sign On.

  1. Navigate to your Okta Dashboard.
  2. Click Applications at the top of the Okta Dashboard and select Applications.
  3. Click Add Application.
  4. Use the search bar to look for Highfive.
  5. Once Highfive pops up as a result, click Add.

General Settings


  1. On the next General Settings page, input your Highfive Subdomain.
    • Your subdomain is: YourSubdomain.highfive.com
  2. Click Done.

Sign On

  1. Select the Sign On tab. (This is next to the General tab you were on previously.)
  2. Click Edit at the top of the Settings menu.
  3. Important: Under the CREDENTIALS DETAILS section, your Okta username format setting will determine which attribute in the Okta user profile will be passed within the SAML assertion as the Highfive email address.
    • Your selection for Okta username format needs to match the value you are passing as the email attribute from Okta to Highfive, or it will result in duplicate users being created with a different email value. We'll walk you through configuring this in the next step.
  4. If you...
    1. Are setting up the Highfive application for the first time: Set Application username format to Email.
    2. Already have SAML functionality enabled for the Highfive application in Okta and are using Okta username as the Okta username format:
      1. Click Configure profile mapping.
      2. Select the Okta to Highfive tab.
      3. Set your mapping to the following configuration, then click Save Mappings.
        1. user.firstName → givenName
        2. user.lastName → familyName
        3. user.login → email

  5. Click Save once you're back on the Settings menu.
  6. If you have not previously configured SAML 2.0 in the past for Highfive Single Sign On with  Okta, you will need to do it now.
    • Click View Setup Instructions and complete the provided steps.


  1. After you complete the SAML 2.0 configuration, navigate back to the Highfive application in Okta.
  2. Click on the Provisioning tab. (This is next to the Sign On tab you were on previously.)
  3. Click Configure API Integration.
  4. Check the Enable API integration box.
  5. Click Authenticate with Highfive.
  6. A permissions window will open, informing you what actions you are allowing Okta to perform on your behalf. To proceed, click Allow.
  7. You will be redirected back to Okta and should see a message stating Highfive was verified successfully.
  8. Click the Save button.
  9. Once the page reloads, select To App in the left sidebar and then click Edit.
  10. Check the Enable box for the following provisioning options:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  11. Skip Highfive Attribute Mappings. You do not need to modify this section at the bottom.
  12. Click Save.
  13. Highfive! You're done with the configuration. You can learn more about how to manage your users via Okta here.

Known Issues

  • Issue: Updating the Primary Email for a user in Okta does not push the change to Highfive.
    • Details: If you update the email address for a user in Okta, it will not update in Highfive. This also includes scenarios where SAML was set up previously using Okta.userName and then changed to Okta.email.
    • Fix: This is currently expected behavior. Our team is aware of and will work on resolving it. When this is fixed, updates to email addresses made in Okta will push successfully to Highfive. 
  • Issue: Creating a new user profile after updating a previous user profile can lead to invalid responses when attempting to verify user data.
    • Details: If you update the username for a user in Okta, then create a second profile with the same username, then attempts to verify profile creation between Highfive and Okta will fail with a result saying there are too many matches.
    • Fix: Please contact Highfive Support and we will fix the username that should be disabled.

Still have questions?

We're here to help

Powered by Zendesk