Shine a light on shadow apps

ConductorOne Docs

Completeness and accuracy

Identity and entitlement data is pulled from integrated applications to ConductorOne on a regular and ongoing basis so you can feel confident that your data is mirrored accurately.

How do application integrations work in ConductorOne?

  • Application data is synced every 1-2 hours (exact duration depends on the size of your tenant).

  • Applications are connected using the required authentication method as described in the integration documentation.

  • How the data is categorized is determined by the application’s API. This page provides clarification on how to match up the data and any known limitations to application APIs.

If you manually import data from a custom application: The user count and status are directly correlated to the mappings. For more information on setting mappings, go to Change mappings for custom spreadsheets.

View an application’s user count

Compare the count of users in an application integrated with ConductorOne with the count in the application itself.

  1. In the navigation panel, open Apps and click Applications.

  2. Click the name of an application created via an integration with ConductorOne.

  3. Click Identities.

  4. Review the User type and User status data provided in ConductorOne and inside the corresponding application.

How does ConductorOne calculate user counts?

ConductorOne categorizes the data according the how the application API is configured.

User TitleDescriptionNotes
UserTotal number of accounts your admin labelled as “User Account”.This number represents metadata from C1, and will not be found explicitly in the corresponding application.
Service AccountTotal number of accounts your admin labelled as “Service Account” for an application in ConductorOne.This number represents metadata from C1, and will not be found explicitly in the corresponding application.
Total User CountThis is not a category, only provided here for clarity.

[User + Service Accounts]

OR [Enabled + Disabled + Unspecified + Deleted]

EnabledTotal number of Users excluding Disabled [Suspended] Users.[User + Service Accounts] - Disabled/Suspended Accounts
DisabledTotal number of Suspended Users. Typically this means the User cannot access applications or their interfaces but their profile can still be updated and assignments are unaffected.
UnspecifiedTotal number of users with statuses we don’t recognize (typically this captures all statuses other than Enabled and Disabled).Generally seen when manually uploading data to custom applications.
Deleted

Total number of users deleted from the application.

Note: Some connectors do not pull deleted users into ConductorOne; this depends on the application’s API.

If you manually upload a deleted user it will show in this field
Active Users

Total number of Enabled Users excluding users who are unable to log into the application


Note: Check how your application calculates this number. Some applications double-count users.

Enabled - [Locked Out, Password Expired + Recovery]
SuspendedTotal number of users who have had their account explicitly suspended by the application administrator.
Provisioned [Pending User Action]Total number of accounts that are provisioned, but the user has not provided verification by clicking through the activation email or provided a password
StagedTotal number of accounts where the user is created, before the activation flow is initiated, or if there is a pending admin action.
Locked OutTotal number of accounts where the user has exceeded the number of login attempts defined in the login policy.
Password ExpiredTotal number of accounts where the password reset link has eclipsed the allotted time.
Recovery [Password Reset]Total number of accounts with an active password reset (otherwise these are Active Users).

Known limitations

  • Active User Count: Some applications, including Okta Dashboard, calculate this by double counting users with certain statuses: Password Reset, Locked Out, Password Expired. ConductorOne again pulls the data and categories pursuant to the API specifications so the total count will match.

  • Deactivated User Count: This user count might not be included in the default application API and is therefore not currently streamed to ConductorOne.

  • Deleted User Count: The deleted user count is most likely to be zero, because once a user is deleted the API does not provide their data. If data is manually added for custom applications, this field will be filled if deleted users are included and categorized as such.

Example: Matching data in ConductorOne and Okta

As a demonstration, we break down how the User Identity Counts match up between ConductorOne and Okta.

Example user counts in ConductorOne and Okta

ConductorOne Okta identities count

Okta People dashboard

User identity count comparison and explanation

User TitleOktaConductorOneExplanation

Everyone

[User + Service Accounts]

66 [(User + Service Account) - Okta Deactivated Users]Okta includes Deactivated users under Everyone, but ConductorOne will not.
Enabled55 [Okta Active Users + Staged + Pending User Action]ConductorOne: [User + Service Accounts] - [Suspended/Disabled + Deactivated]
Disabled [Suspended]11
Recovery [*Password Reset]22

*if a user is otherwise active but in Password Reset they will show as “Recovery."

*If Password Reset is showing in Okta and Recovery is not showing in ConductorOne, the Password Reset number is rolled in the Suspended category.

*Active

[Okta double counts some statuses see “Explanation Column”]

42 [excludes Recovery/Resets]*Okta double-counts Password Expired, Recovery/Reset, Locked Out Users.
*Password ExpiredN/AN/A

If the value is zero, this field will not show in ConductorOne or Okta.

*If Password Expired is showing in ConductorOne but not Okta, it is counted under Active in Okta.

Provisioned [Pending User Action]11
Suspended11
Staged0N/AIf the value is greater than zero, it will appear in ConductorOne and match Okta exactly.
Locked0N/AIf the value is greater than zero, it will appear in ConductorOne and match exactly to Okta.