Enable delegated authentication for LDAP
Delegated authentication allows users to sign in to Okta by entering credentials for their organization's Lightweight Directory Access Protocol (LDAP) user store. It also allows users to sign in to Okta by using credentials from their organization's Active Directory (AD) or Windows networked single sign-on (SSO). See Enable delegated authentication for Active Directory.
Enable LDAP delegated authentication
Enable delegated authentication if you want LDAP to authenticate your users when they sign in to Okta.
Prerequisite: Install and configure the Okta LDAP agent. See Manage your LDAP integration.
Delegated authentication is turned on by default when you add an LDAP integration to an org.
- In the Admin Console, go to .
- Click the LDAP tab.
- In Delegated Authentication, click Edit.
- Select Enable delegated authentication to LDAP.
- Optional. Test the delegated authentication settings:
- Click Test Delegated Authentication.
- Enter an LDAP username and password and click Authenticate.
- Click Close when authentication completes.
- Click Save.
Allow end users to change or reset their LDAP passwords
You can allow your end users to change their LDAP passwords in Okta. When a user's password expires, they're prompted to change them the next time they attempt to sign into Okta.
End users can change their passwords from their Okta dashboard by clicking the dropdown menu by their name and selecting .
This feature requires Okta LDAP Agent version 5.3.0 or later. This feature works with any LDAP distribution that correctly sets the pwdReset attribute to TRUE when a password is expired (for example, OpenLDAP and IBM) 5.3.0. Make sure to uninstall any pre-5.3.0 versions of the agent before you install version 5.3.0 or higher. For agent installation instructions, see LDAP integration.
- In the Admin Console, go to .
- Click the LDAP tab.
- In Delegated Authentication, click Edit.
- Select Enable delegated authentication to LDAP.
- Under LDAP Password Policy, select Users can change their LDAP passwords in Okta.
- In the Password Rules Message field, describe the password policy rules that your end users must follow when changing their passwords.
- Select Users can reset forgotten LDAP passwords in Okta.
When you create or import and activate new users, they're prompted for a secondary email address on their Welcome page. After end users enter an address, they receive a confirmation email asking them to verify the change.
If end users forget their passwords, or their LDAP account gets locked from too many failed sign in attempts, they can click the Okta Sign-In Widget to reset their password using email or SMS.
link on the- Reset via email: End users enter their username or email address and then click the Send Email button. Users then receive an account password reset email that expires in 24 hours. This resets both the user's Okta and LDAP passwords. For users who click the Forgot password? link because an account was locked, this changes their LDAP password and unlocks their account.
- Reset via SMS: End users enter their username or email address and then click the Send Text Message button. This prompts a text message containing a password reset code. Once received, users enter the code from their phone and continue through the prompts to reset their passwords
- Click Save.
View Del Auth System Log information
To help identify bottlenecks, the System Log includes information about the duration of each delegated authentication (Del Auth) request. The System Log includes times in milliseconds for the following delegated authentication properties:
- delAuthTimeTotal: The total time spent for Del Auth in Okta. This time consists of the total time at the agent and the queue wait time in Okta before an agent starts processing the request. The queue wait times can be high if there aren't enough agents to serve requests.
- delAuthTimeSpentAtAgent: The total time the agent spent processing the request. This includes the time spent at the Domain Controller.
- delAuthTimeSpentAtDomainController: The time spent at the Domain Controller.
- On the Okta Admin Console, click .
- Select an LDAP instance.
- Click View Logs at the top of the page.
Just-In-Time provisioning
When Just-In-Time (JIT) is enabled for your org and delegated authentication is selected for your LDAP integration, JIT is used to create user profiles and import user data.