Configure Active Directory account mapping

Before you begin

Tasks

  1. Add attribute to the Okta profile template
  2. Map AD attributes to Okta profiles
  3. Add attribute to the Advanced Server Access profile template
  4. Map Okta profile attributes to Advanced Server Access profile attributes
  5. Assign users or groups to Advanced Server Access
  6. Optional. Assign project-level attribute overrides

Add attribute to the Okta profile template

The first step is to add a new attribute to the default Okta user profile. This attribute is used to store one or more AD usernames for a specific Okta account.

In the Admin Console, use the Profile Editor to add an attribute to the default Okta user profile with the string array data type. You can configure the other settings to meet your organizational needs. See Add custom attributes to an Okta user profile.

Map AD attributes to Okta profiles

Next, you need to map AD attributes to your Okta user profiles. In the Admin Console, open the Profile Editor, locate your AD directory integration, and click Mappings. You need to use an Okta expression to map the AD attributes to a string array. Locate the field you just created and enter the following expression in the left column.
Arrays.add(Arrays.toCsvString({}),appuser.userName)

Add attributes to the Advanced Server Access profile template

This process isn't required for new teams. Existing teams can contact Okta support for assistance.

Next, you must add two attributes to the default Advanced Server Access user profile. These attributes are used to specify any AD user accounts available to a user. Both attributes are required and must use the exact settings specified.

In the Admin Console, use the Profile Editor to add attributes to the default Advanced Server Access user profile.

Active Directory Identity

  • Display name: Active Directory Identity
  • Description: Comma-separated list of AD accounts available to an Okta user. Users must manually enter a password when using these accounts.
  • Data type: string array
  • External name: activeDirectoryIdentity
  • External namespace: urn:scim:schemas:scaleft:user:1.0
  • Scope: User personal

Active Directory Passwordless Identity

  • Display name: Active Directory Passwordless Identity
  • Description: Comma-separated list of AD accounts available to an Okta user. Users don't need to enter a password when using these accounts.
  • Data type: string array
  • External name: activeDirectoryPasswordlessIdentity
  • External namespace: urn:scim:schemas:scaleft:user:1.0
  • Scope: User personal

Make sure to enter the External name and External namespace fields exactly as written.

You can configure the other settings to meet your organizational needs.

Map Okta profile attributes to Advanced Server Access profile attributes

Now you need to map the Okta user profile attribute to the Advanced Server Access attribute. In the Admin Console, open the Profile Editor, locate the Okta Advanced Server Access User profile, and click Mappings. Create a mapping from the Okta user attribute you created in step 1 to the Advanced Server Access attribute you created in step 3. See Map Okta attributes to app attributes in the Profile Editor.

Assign users or groups to Advanced Server Access

After you complete the previous steps, your attributes are configured and ready to use. Moving forward, all users assigned to Advanced Server Access will include these attributes. See Assign applications to users.

Assign project-level attribute overrides

Sometimes an AD account differs across environments. In cases like this, you can override their account attribute on a per-project basis. See Set project-level user and group attributes in Advanced Server Access.