ADP Workforce Now doesn't have a direct Okta integration. That's the starting point of this problem, and it's pushed a lot of teams toward bridge tools like Aquera — which works, but creates more connections to maintain than necessary. If you're designing the architecture from scratch, the question worth answering before committing to any tool is: what should actually sit between your HRIS and everything downstream?
The answer the Okta community has converged on strongly is HR → Okta → AD (and everything else), not HR → AD → Okta. But getting ADP into Okta without a native connector requires a decision, and that decision shapes the maintenance burden you're signing up for.
The Three Paths From ADP to Okta (And What Each Costs You)
Aquera as a bridge between ADP and Okta. Aquera builds and maintains connectors between HRIS platforms and identity providers. It handles the data transformation from ADP's format into something Okta can ingest, and it provides real-time sync rather than batch processing. The cost — one commenter in this thread mentioned first-year costs in the $5–8K range — and the additional connection layer to maintain is the main objection. The architectural critique from an official Okta employee in the thread is worth taking seriously: Aquera shouldn't sit between ADP and AD and between AD and Google Workspace. The right position for a bridge tool is ADP → Aquera → Okta, and then Okta handles everything downstream. If Aquera is deployed more broadly than that, you're maintaining more connections than the architecture requires.
CSV as a source via Okta's On-Prem Provisioning agent. Okta supports CSV import through a provisioning agent that monitors a directory for a file on a configured schedule. You export a CSV from ADP at whatever frequency works — nightly is common — place it in the directory the agent monitors, and Okta processes the changes. The setup is straightforward, the cost is low, and it bypasses the need for Aquera entirely. The tradeoff is that it's not real-time: a termination that happens at 9am won't reach Okta until the next scheduled import. For involuntary terminations, which several commenters in this thread noted can happen with zero warning, that lag is a real security exposure. The manual export step is also a dependency — if someone forgets to run it or the export fails silently, the sync breaks without an obvious alert.
Intermediate HR data tools like ChartHop or Hire2Retire. Some organizations route ADP data through an org chart or HR data platform (ChartHop being one example in this thread) that has its own Okta connector, avoiding Aquera while adding data enrichment capabilities. The OP's follow-up noted that ChartHop worked well for provisioning but left deactivations to be handled manually by IT — which is exactly the gap that makes involuntary terminations painful. Hire2Retire takes a different approach: it positions itself specifically as an HR-to-identity bridge that handles edge cases like rehires, title changes, and manager updates without requiring custom scripts for each scenario.
The architectural consensus in the thread is consistent regardless of which path you use for the ADP-to-Okta piece: once data is in Okta, Okta should control the flow to AD and downstream applications through group rules and Lifecycle Management, not the other way around.
Why HR → Okta → AD Is the Right Direction
The legacy flow — HR → AD → Okta — made sense when AD was the authoritative directory for everything. In modern environments where employees may not need full AD accounts (retail store associates being the example from the thread), where cloud apps are the primary surface, and where Okta is the SSO layer for most of what users actually touch, making AD the intermediate step adds complexity without benefit.
HR → Okta → AD inverts this cleanly. Okta becomes the single point of control. Group rules in Okta determine what gets pushed to AD and when. Users who don't need AD accounts (cloud-only users, Okta-only retail associates) never touch AD at all. The audit trail lives in Okta. Provisioning decisions are made in one place rather than trying to coordinate changes across two systems.
For the specific ADP scenario: data flows from ADP to Okta via whichever integration method fits your requirements and budget. From Okta, group rules provision users into AD where needed, push them into Google Workspace, assign them to downstream application groups, and handle the full lifecycle from there.
Where Okta LCM Hits Its Ceiling
Okta Lifecycle Management handles provisioning well for applications with native SCIM integrations or Okta Application Network connectors. For the applications outside that set — tools procured by individual departments, legacy systems, apps with APIs but no SCIM support — Okta LCM doesn't extend automatically.
The preferred name issue the OP mentioned is a good example of where the seams show. ChartHop was configured to pass preferred names through to Okta, and when that configuration wasn't in place, Okta defaulted to legal names. Managing these attribute-level requirements across the integration chain requires configuration at each layer, and each layer that's involved is another place where a change can break the flow.
For the downstream application provisioning problem — ensuring users get the right tools, licenses, and group memberships on day one across both Okta-connected and non-Okta-connected apps — an IGA orchestration layer handles the breadth that Okta LCM doesn't reach.
How an IGA Layer Fits Into the ADP → Okta Architecture
Zluri slots into this architecture as the orchestration layer between your HRIS and the full downstream stack, complementing rather than replacing Okta.
When ADP registers a new hire, Zluri detects the event and triggers an Onboarding Playbook. The playbook can create the Google Workspace account first — generating the official work email that everything else depends on — then provision the user into Okta and Active Directory in parallel, and then assign role-based birthright access across every downstream application the user needs on day one. For apps with Okta integrations, Okta handles the SSO layer. For apps without SCIM or Okta connectors, Zluri's direct API integrations or custom HTTP Request actions handle the provisioning directly.
For terminations — including the involuntary ones that happen without warning — Zluri detects the ADP status change and triggers an Offboarding Playbook immediately, without waiting for a nightly CSV export or a manual IT action. The account is disabled in Okta, removed from AD groups, and deprovisioned from every downstream application in the same automated run.
The contractor problem the OP mentioned — contractors living outside ADP and created manually by IT — can be addressed by giving IT a manual onboarding trigger within Zluri's interface, so contractor accounts follow the same playbook-based provisioning as regular employees even when they don't originate from the HRIS.
A Note on Aquera Licensing and Okta LCM Licensing
One commenter raised the point that Aquera may have been sold as an alternative to Okta LCM for organizations that only purchased Okta SSO/MFA licenses rather than full LCM. If your Okta license doesn't include LCM, provisioning directly from Okta to downstream applications isn't available — and that changes the architecture options. Confirm your Okta license tier before designing the architecture around Okta LCM capabilities you may not have.
Frequently Asked Questions
What is the best practice architecture for ADP Workforce Now to Okta provisioning?
The recommended flow is ADP → [integration layer] → Okta → AD and downstream apps. The integration layer can be Aquera, a CSV import via Okta's On-Prem Provisioning agent, or an HR data tool with an Okta connector. The key principle is that Okta should be the central control point for all downstream provisioning — AD, Google Workspace, and application groups — rather than AD sitting between HRIS and Okta. This gives you a single audit trail and centralized provisioning logic.
Should Active Directory or Okta be the source of truth for user provisioning?
In modern environments, Okta should be the identity control plane, with AD as a downstream target rather than an intermediate hub. HR → AD → Okta made sense when AD was the primary directory, but in cloud-first or hybrid environments, HR → Okta → AD gives you centralized control, a unified audit trail, and the flexibility to provision cloud-only users who don't need AD accounts at all.
What are the alternatives to Aquera for connecting ADP to Okta?
The main alternatives are: CSV import via Okta's On-Prem Provisioning agent (no additional tool cost, but not real-time), HR data platforms like ChartHop that have native Okta connectors (adds data enrichment but may leave deactivations manual), middleware tools like Hire2Retire that handle HR-to-identity sync with edge case handling for rehires and title changes, or an IGA orchestration platform like Zluri that manages the full lifecycle across HRIS, Okta, AD, and downstream applications from a single platform.
How do you handle involuntary terminations when using a nightly CSV sync from ADP to Okta?
A nightly CSV sync creates a lag between termination in ADP and deactivation in Okta — potentially many hours if a termination happens early in the day. For involuntary terminations, that window is a security exposure. Real-time integration (via Aquera, a middleware tool, or an IGA platform) that detects the ADP status change and triggers immediate deactivation in Okta eliminates this gap.
See How Zluri Connects to ADP and Handles the Full Provisioning Lifecycle
If you're designing your ADP-to-Okta architecture and evaluating whether Aquera, CSV import, or a dedicated IGA platform fits your requirements, see how Zluri connects to ADP and handles the full provisioning and deprovisioning lifecycle — including the downstream apps that Okta LCM doesn't reach.
.svg)
