Enable delegated authentication for Active Directory

Delegated authentication allows users to sign in to Okta by entering credentials for their organization's Active Directory (AD) or Windows networked single sign-on (SSO). It also allows users to sign in to Okta by using credentials from user stores that employ the Lightweight Directory Access Protocol (LDAP). See Enable delegated authentication for LDAP.

Before you begin

Integrate your AD instance with Okta. See Manage your Active Directory integration.

Enable AD delegated authentication

  1. In the Admin Console, go to DirectoryDirectory Integrations.
  2. Select an AD instance.
  3. Click the Provisioning tab and select Integration in the Settings list.
  4. Scroll to Delegated Authentication and select Enable delegated authentication to Active Directory.
  5. Optional. Test the delegated authentication settings:
  1. Click Test Delegated Authentication.
  2. Enter an AD username and password and click Authenticate.
  3. Click Close when authentication completes.
  1. Click Save.

Enable desktop single sign-on

Desktop Single Sign-on (SSO) allows users to automatically authenticate with Okta, and any apps accessed through Okta, whenever they sign in to your Windows network. The Okta IWA Web App uses Microsoft IWA and ASP.NET to authenticate users from specified gateway IPs. See Install and configure the Okta IWA Web agent for Desktop Single Sign-on.

View Del Auth System Log information

To help identify bottlenecks, the System Log includes information about the duration of each delegated authentication (Del Auth) request. The System Log includes times in milliseconds for the following delegated authentication properties:

  • delAuthTimeSpentAtAgent: The total time the agent spent processing the request. This includes the time spent at the Domain Controller.
  • delAuthTimeSpentAtDomainController: The time spent at the Domain Controller.

AD agent version 3.1.0 or later is required for this feature.

  1. In the Okta Admin Console, click DirectoryDirectory Integrations.
  2. Select an AD instance.
  3. Click View Logs at the top of the page.

Just-In-Time provisioning

For additional details about using Just-In-Time (JIT) provisioning with Active Directory, see Add and update users with Active Directory Just-In-Time provisioning. For JIT provisioning with Desktop SSO, see Configure general customization settings.

When JIT is enabled for your org and delegated authentication is selected for your AD integration, JIT is used to create user profiles and import user data.

Related topics

Password policies

Manage self-service password reset

Multifactor Authentication