CSV File Importing

When a MilMove Office or Admin user is created within the MilMove application (not Okta), they will also need an account created in Okta. This will need to be done within the Okta Admin Console by an Okta Admin with the appropriate privileges.

info

You can find more info about Okta Admins HERE

When importing a CSV file to create or update any user, Okta requires the columns to be ones they recognize in the respective Okta profile. When filling out a CSV file, it should look like this:

CSV File Example

email,login,firstName,lastName,cac_edipi,gsa_id,role
officeUser@email.com,officeUser@email.com,John,Office,1231231231,,office
adminUser@email.com,adminUser@email.com,Jill,Admin,2342342342,,admin
gsaUser@gsa.gov,gsaUser@gsa.gov,Jimmy,GSA,,3453453453453,office
hybridUser@email.gov,hybridUser@email.gov,Susy,Hybrid,,5675675675,hybrid
homeSafeUser@homesafe.com,homeSafeUser@homesafe.com,Home,Safe,,e417b7452d1fbbb6cef6f1ba8dcf25f5186dac4e,office

This file contains all the columns that we need and will use in Okta. There are a bunch more properties that Okta uses for a profile, but these are the only ones we need for MilMove.

info

Right now MilMove's configuration in Okta supports the following root certificate & their respective chains:
CA-3
Entrust Managed Services Root CA
ECA Root CA 4

Let's break down what values go in what in the CSV file:

email

This will be the same as login, but it's imperative that this email is the primary email of the user and should be a functional email.

login

This will be the same as email and will also need to be a functional email.

firstName

First name of the user.

lastName

Last name of the user.

cac_edipi

This will be the DoDID/EDIPI number that is located on the user's Smart Card. This number should only be ten digits in length and must be unique. Okta will not allow this user to be imported if this number already exists in their database. This can be left empty if the office user does not use a CAC.

gsa_id

This column is specific for GSA users or ECA cert users (only in staging environment) and they will need to provide values that can be found in their certificate.

For GSA Users
It is variable in length, but can be found in the Subject Alternative Name property in their certificate and are the numbers to the left of their @gsa.gov email found in that property. This can be empty when importing users that are not GSA users.

For ECA Certificate Users
For ECA certificate users we are using the Subject Key Identifier value in their certificate. This is a very long string that looks like:

e417b7452d1fbbb6cef6f1ba8dcf25f5186dac4e

role

This will determine which groups the user is assigned to upon import. This field is required. The values in this column assign users to their respective groups, which allows for access to the application.

office -> assigns to office group
admin -> assigns to admin group
hybrid -> assigns to BOTH office and admin groups

Double Check - Triple Check

danger

If the cac_edipi or gsa_id is wrong, the user will not be able to log in. Additionally, please make sure that the value in the role column is either office, admin, or hybrid and all lowercase. Please make sure to double check these values prior to importing.

GSA & ECA Certificate chains use the gsa_id column
Anyone using CA-3 root certificates uses the cac_edipi column

Importing CSV File into Okta

1. Sign into the Okta Dashboard
2. Click the Admin button in the top right to go to the Admin Console
3. In the nav bar on the left, click Directory
4. Click People to open the users page
5. There's a dropdown box that says More actions, click that
6. A dropdown menu will show, click Import users from CSV
7. Select the CSV file and click Upload CSV
8. Okta will check the headers to make sure it knows where to put the data, if successful - you'll see a success message
   If it was NOT successful, Okta will show an error message and tell you what it doesn't recognize
9. Click Next
10. If the user will only be logging in with their CAC, check both boxes since they won't need a password (this is for office users)
    If the user will be an Okta Admin and will need to sign in with additional authenticators, only check the top box since they'll need to log into Okta
11. If the user in each row doesn't exist - Okta will create an account for them
    If the user does exist, Okta will update their profile with the values in the CSV file
12. Now each user will be able to authenticate with Okta (as long as the information in the file is correct)!