POST /api/v1/apps/{appId}/users

Assigns a user to an app for:

SSO only
Assignments to SSO apps typically don't include a user profile. However, if your SSO app requires a profile but doesn't have provisioning enabled, you can add profile attributes in the request body.
SSO and provisioning
Assignments to SSO and provisioning apps typically include credentials and an app-specific profile. Profile mappings defined for the app are applied first before applying any profile properties that are specified in the request body.
Notes:
- When Universal Directory is enabled, you can only specify profile properties that aren't defined in profile mappings.
- Omit mapped properties during assignment to minimize assignment errors.

Servers

https://{yourOktaDomain}

Path parameters

Name	Type	Required	Description
`appId`	String	Yes	Application ID

Request headers

Name	Type	Required	Description
`Content-Type`	String	Yes	The media type of the request body. Default value: "application/json"

Request body fields

Name	Type	Required	Description
`_embedded`	Object	No	Embedded resources related to the Application User using the JSON Hypertext Application Language specification
`lastSync`	String	No	Timestamp of the last synchronization operation. This value is only updated for apps with the `IMPORT_PROFILE_UPDATES` or `PUSH PROFILE_UPDATES` feature.
`passwordChanged`	String	No	Timestamp when the Application User password was last changed
`credentials`	Object	No	Specifies a user's credentials for the app. This parameter can be omitted for apps with sign-on mode (`signOnMode`) or authentication schemes (`credentials.scheme`) that don't require credentials.
`credentials.userName`	String	No	The user's username in the app Note: The userNameTemplate in the Application object defines the default username generated when a user is assigned to that app. If you attempt to assign a username or password to an app with an incompatible authentication scheme, the following error is returned: "Credentials should not be set on this resource based on the scheme."
`credentials.password`	Object	No	The user's password. This is a write-only property. An empty `password` object is returned to indicate that a password value exists.
`credentials.password.value`	String	No	Password value
`scope`	String	No	Indicates if the assignment is direct (`USER`) or by group membership (`GROUP`). Possible values: `"GROUP"` `"USER"`
`status`	String	No	Status of an Application User Possible values: `"STAGED"` `"DEPROVISIONED"` `"REVOKED"` `"ACTIVE"` `"APPROVED"` `"SUSPENDED"` `"PROVISIONED"` `"MATCHED"` `"PENDING"` `"UNASSIGNED"` `"IMPORTED"` `"INACTIVE"` `"IMPLICIT"`
`statusChanged`	String	No	Timestamp when the Application User status was last changed
`lastUpdated`	String	No	Timestamp when the object was last updated
`id`	String	No	Unique identifier for the Okta User
`profile`	Object	No	Specifies the default and custom profile properties for a user. Properties that are visible in the Admin Console for an app assignment can also be assigned through the API. Some properties are reference properties that are imported from the target app and can't be configured. See profile.
`_links`	Object	No	Specifies link relations (see Web Linking) available using the JSON Hypertext Application Language specification. This object is used for dynamic discovery of resources related to the Application User.
`created`	String	No	Timestamp when the object was created
`externalId`	String	No	The ID of the user in the target app that's linked to the Okta Application User object. This value is the native app-specific identifier or primary key for the user in the target app. The `externalId` is set during import when the user is confirmed (reconciled) or during provisioning when the user is created in the target app. This value isn't populated for SSO app assignments (for example, SAML or SWA) because it isn't synchronized with a target app.
`syncState`	String	No	The synchronization state for the Application User. The Application User's `syncState` depends on whether the `PROFILE_MASTERING` feature is enabled for the app. Note: User provisioning currently must be configured through the Admin Console. Possible values: `"ERROR"` `"SYNCHRONIZED"` `"SYNCING"` `"OUT_OF_SYNC"` `"DISABLED"`

How to start integrating

Add HTTP Task to your workflow definition.
Search for the API you want to integrate with and click on the name.
- This loads the API reference documentation and prepares the Http request settings.
Click Test request to test run your request to the API and see the API's response.