> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wolfia.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta Directory Sync Setup for Wolfia: Users, Groups, and Roles

> Connect Okta to Wolfia so users and groups provision automatically, including the two Okta steps that keep your groups from arriving empty.

Two things move through directory sync: the people in your Okta directory and the groups they belong to. Okta provisions each of these through a separate action, and both are needed before a Wolfia group does anything useful. The most common setup mistake is completing one and skipping the other, which leaves a group in Wolfia that has a name but no members.

## How directory sync works

Once Okta is connected to Wolfia, Okta becomes the source of truth and pushes changes automatically:

* **People:** Assigning a person to the Wolfia app in Okta creates their Wolfia account.
* **Groups:** Pushing a group from Okta recreates that group in Wolfia and links the members who already have a Wolfia account.
* **Updates:** Name, email, and group-membership changes flow through within a few minutes.
* **Removal:** Unassigning a person in Okta deactivates their Wolfia account.

<Note>
  Think of it as two layers. People come first, then the groups that organize them. A group can only contain people who already exist in Wolfia, so the people layer has to be in place for groups to fill in.
</Note>

## Before you start

<Note>
  Directory sync builds on SSO. Set up [SSO](/how-to/sso-setup) first, then ask your Wolfia contact to enable directory sync for your organization. See the [SCIM setup guide](/how-to/scim-setup) for the full provider-agnostic walkthrough.
</Note>

* [x] **SSO is configured** for your organization
* [x] **Directory sync is enabled** by your Wolfia contact
* [x] **You are an Okta administrator** with access to the Wolfia app

## Set up directory sync in Okta

<Steps>
  <Step title="Assign people to the Wolfia app">
    This is the step that actually creates Wolfia accounts.

    1. In the Okta Admin Console, open **Applications** and select your **Wolfia** app.
    2. Go to the **Assignments** tab.
    3. From the **Assign** dropdown, choose **Assign to People** or **Assign to Groups**.
    4. Select the people who should have Wolfia access.

    Each assigned person is created in Wolfia within a few minutes.
  </Step>

  <Step title="Push your groups">
    This step recreates your Okta groups inside Wolfia and links their members.

    1. In the same Wolfia app, go to the **Push Groups** tab.
    2. From the **Push Groups** dropdown, choose **Find groups by name**.
    3. Select the groups you want to bring into Wolfia and save.

    Pushing a group brings over the group itself and links the members who were already assigned in step 1.
  </Step>

  <Step title="Confirm in Wolfia">
    1. In Wolfia, open **Settings** and go to **Users** to confirm the people appear.
    2. Open **Groups** to confirm each group shows the expected members.

    Allow a few minutes for the first sync to finish before checking.
  </Step>
</Steps>

<Warning>
  Pushing a group does not create its members by itself. A person shows up inside a Wolfia group only after they are also assigned to the Wolfia app in step 1. If you push groups before assigning people, the groups arrive with the correct name and no members. Assign the people, and the membership fills in on the next sync.
</Warning>

## How roles are assigned

Wolfia can set a person's role from their group membership, so the right people get Administrator or Expert access without manual updates. Role assignment is configured with your Wolfia contact when directory sync is enabled. People who do not match a role-granting group receive the Standard User role. For the role options and mapping details, see the [SCIM setup guide](/how-to/scim-setup#role-assignment-in-detail).

<Info>
  Roles follow from group membership. Until the members of a group are provisioned through step 1, no roles can be applied for that group.
</Info>

## What groups are used for in Wolfia

Groups let you assign and route work to a whole team at once instead of naming people individually. Membership is what makes each of these work, so an empty group has no effect until its members sync.

<CardGroup cols={2}>
  <Card title="Questionnaire assignment" icon="clipboard-check">
    Assign a questionnaire, a section, or individual questions to a group, and every member can pick up the work.
  </Card>

  <Card title="Review and approval routing" icon="route">
    Send questions to the right team for subject-matter or legal review based on group membership.
  </Card>

  <Card title="Notifications and reminders" icon="bell">
    Deadline, assignment, and approval reminders reach everyone in the assigned group.
  </Card>

  <Card title="Access and visibility" icon="eye">
    Scope who can see assigned questionnaires and who can edit the knowledge base by group.
  </Card>
</CardGroup>

## Troubleshooting

<AccordionGroup>
  <Accordion title="A group synced but has no members">
    The group was pushed before its people were assigned to the Wolfia app. In Okta, open the Wolfia app, go to **Assignments**, and assign the people who belong in that group. Membership fills in on the next sync. If you would like an immediate full refresh, contact Wolfia support to trigger reconciliation.
  </Accordion>

  <Accordion title="Members synced but have the wrong role">
    Roles follow from group membership and require role assignment to be configured. Confirm the person is in the correct group in Okta, and check the role mapping with your Wolfia contact. See the [SCIM setup guide](/how-to/scim-setup#role-assignment-in-detail) for how roles are determined when someone belongs to more than one group.
  </Accordion>

  <Accordion title="A new employee is missing from Wolfia">
    The person has not been assigned to the Wolfia app yet. Being a member of an Okta group is not enough on its own. Assign them under the **Assignments** tab so their account is created.
  </Accordion>

  <Accordion title="A removed person still appears active">
    Deactivation flows from unassigning the person in Okta. Confirm they were removed from the Wolfia app in Okta. The account deactivates on the next sync, and a daily reconciliation also catches any missed changes.
  </Accordion>
</AccordionGroup>

## Related pages

<CardGroup cols={2}>
  <Card title="SCIM setup" icon="users-gear" href="/how-to/scim-setup">
    The full directory sync guide for Okta, Microsoft Entra ID, Google Workspace, and other providers.
  </Card>

  <Card title="SSO setup" icon="key" href="/how-to/sso-setup">
    Configure Single Sign-On, which directory sync builds on.
  </Card>

  <Card title="Admin setup" icon="user-gear" href="/how-to/setup-admin">
    Set up your Wolfia organization and manage users.
  </Card>

  <Card title="Service accounts" icon="robot" href="/how-to/service-accounts">
    Programmatic access for integrations and automation.
  </Card>
</CardGroup>
