Using sendEmail Attribute for Okta User Provisioning so that the provisioned users do not receive Welcome Email from Okta on Account Creation

Hello Sailors,
We were looking at the Okta reference guide and trying to add the sendEmail attribute in the Create Profile so that the user once provisioned into Okta does not get the Welcome email. Unfortunately when we tried to add this to the create profile it gave us the below error:

Error["sailpoint.connector.InvalidRequestException: [ InvalidRequestException ] \n [ Error details ] Request execution failed. HTTP Error code : 400, Okta Error code : E0000001, errorSummary : Api validation failed: newUser, errorCauses:[{errorSummary\u003dProperty name \u0027sendEmail\u0027 is not defined in profile}]."]

Then we tried to the Update Source using the IDN API and performed this operation using the Postman

curl --location --request PATCH 'https://hearst.api.identitynow.com/beta/sources/2c9180857a3f6885017a3f7b4f4e0210' \
--header 'Content-Type: application/json-patch+json' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiJlZmU3ZTY5MS1lYjE2LTRiMzItYjc5Mi0wN2M1OGI3Mjc2MWEiLCJwb2QiOiJwcmQwOC11c2Vhc3QxIiwic3Ryb25nX2F1dGhfc3VwcG9ydGVkIjpmYWxzZSwib3JnIjoiaGVhcnN0IiwiaWRlbnRpdHlfaWQiOiIyYzkxODA4ODdhNDQ5ODBiMDE3YTQ1ODUwNDBmMDRmOCIsInVzZXJfbmFtZSI6Ikp1c3RpbiBIYWluZXMiLCJzY29wZSI6WyJCZz09Il0sInN0cm9uZ19hdXRoIjp0cnVlLCJleHAiOjE2Mjc1NDA1MDcsImF1dGhvcml0aWVzIjpbIk9SR19BRE1JTiIsInNwOnVzZXIiXSwianRpIjoia2d3SmMxdjcxVWQvMWpHK2RRMyttU21vRUlJPSIsImNsaWVudF9pZCI6IjAzNTBhNDM1OWE1ZjQyNGFhMGQ1MDg2NTUzYzE2ODM2In0.5gjiaF76-DniPKKnz0c7SoCID9mtHnpfM9dvYCGaGNY' \
--data-raw '[
{
"op": "add",
"path": "/connectorAttributes/sendEmail",
"value": "false"
}
]'

This added the sendEmail in the Okta Source and we tried to provision again to see if that would resolve our purpose of new provisioned users not getting the Welcome Email.

Unfortunately it did not work and we are wondering if we are missing something or whether this can be achieved using the sendEmail attribute.

We are referencing the below URL:
https://community.sailpoint.com/t5/IdentityNow-Connectors/Okta-Source-Configuration-Reference-Guide/ta-p/73140#toc-hId--1326839389

Please let us know if there is any steps that we are missing or if this is even feasible with the sendEmail attribute.

Let me know if there is any additional information required from my end.

Thanks
Sumit Gupta

@sumit_optiv

Did you add the attribute in the account schema as well?

You can also do it in a BeforeProvisioning Rule and cater for more scenarios like rehire where if they are enabled and you don’t want email to go out.

accountRequest.add(newAttributeRequest("sendEmail", "false"));          

Best to raise an ES case if you are not familiar with the rule and/or have more complex requirements.

1 Like

Hi @piyush_khandelwal,
Thanks for the great suggestions but I did add it to both Create Profile and the Account Schema. I think if we add it to Create Profile doesn’t it become as part of the Account Request in the Provisioning Plan. I mean a rule would make sense if this was something complex and cannot be achieved.

The only thing that I am struggling to understand is that is there any configuration that needs to be done on the Okta end as well for this. Also, I can write a Before Provisioning Rule but I don’t see a reason to do that over here as I am sending a static value as false for sendEmail in the Create Profile so what difference is there via OOTB configuration and doing it with a rule.

I have opened a case with SailPoint Support as well since this is mentioned in the documentation and will wait for them to respond.

Thanks
Sumit Gupta

No you don’t need anything on Okta side.

Thanks @piyush_khandelwal. Want to know one more thing that why using sendEmail attribute in the Before Provisioning Rule will work and why using the sendEmail attribute on the Create Profile throws the error:

Error[“sailpoint.connector.InvalidRequestException: [ InvalidRequestException ] \n [ Error details ] Request execution failed. HTTP Error code : 400, Okta Error code : E0000001, errorSummary : Api validation failed: newUser, errorCauses:[{errorSummary\u003dProperty name \u0027sendEmail\u0027 is not defined in profile}].”]

@sumit_optiv

Could be something particular about the connector and/or attribute. On reading, my limited understanding is sendEmail is not an attribute on a user schema in Okta but passed as a API call parameter to Okta. So could be due the reason and the way its implemented in connector, it needs to be in the rule. Please raise a support ticket if you want to try and troubleshoot this in create profile and to confirm if it can be done via that.

Hello @sumit_optiv
Did you find solution on this one? Did sailpoint support team or ES team provide any solution on this one? We are also looking for solution on this one, there is no setting on okta side that can help in this scenario. We need to make it work through SailPoint provisioning call (which is external API call for Okta).

Thank you,
Rahul Barole