Configure Active Directory account mapping
Before you begin
- Integrate an Active Directory (AD) domain into your Okta org
- Set up Advanced Server Access
- Configure SCIM for Okta
Tasks
- Add attribute to the Okta profile template
- Map AD attributes to Okta profiles
- Add attribute to the Advanced Server Access profile template
- Map Okta profile attributes to Advanced Server Access profile attributes
- Assign users or groups to Advanced Server Access
- Optional. Assign project-level attribute overrides
Add attribute to the Okta profile template
The first step is to add an attribute to the default Okta user profile. This attribute stores one or more AD usernames for a specific Okta account.
In the Admin Console, use the Profile Editor to add an attribute to the default Okta user profile with the string array data type. You can configure the other settings to meet your organizational needs. See Add custom attributes to an Okta user profile.
Map AD attributes to Okta profiles
Next, you need to map AD attributes to your Okta user profiles. In the Admin Console, open the Profile Editor, locate your AD directory integration, and click Mappings. You need to use an Okta expression to map the AD attributes to a string array. Locate the field that you created and enter the following expression in the left column:
Arrays.add(Arrays.toCsvString({}),appuser.userName)
Add attributes to the Advanced Server Access profile template
This process isn't needed for new teams. Existing teams can contact Okta support for assistance.
Next, you must add two attributes to the default Advanced Server Access user profile. Advanced Server Access uses these attributes to store AD user accounts available to a user. Both attributes are required and must use the exact settings specified.
In the Admin Console, use the Profile Editor to add attributes to the default Advanced Server Access user profile.
Active Directory Identity
- Data type: string array
- Display name: Active Directory Identity
- Variable name: activeDirectoryIdentity
- External name: activeDirectoryIdentity
- External namespace: urn:scim:schemas:scaleft:user:1.0
- Description: Comma-separated list of AD accounts available to an Okta user. Users must manually enter a password when using these accounts.
- Scope: Personal
Active Directory Passwordless Identity
- Data type: string array
- Display name: Active Directory Passwordless Identity
- Variable name: activeDirectoryPasswordlessIdentity
- External name: activeDirectoryPasswordlessIdentity
- External namespace: urn:scim:schemas:scaleft:user:1.0
- Description: Comma-separated list of AD accounts available to an Okta user. Users don't need to enter a password when using these accounts.
- Scope: Personal
Make sure to enter the External name and External namespace fields exactly as written.
You can configure the other settings to meet your organizational needs.
Map Okta profile attributes to Advanced Server Access profile attributes
Now you need to map the Okta user profile attribute to the Advanced Server Access attribute. In the Admin Console, open the Profile Editor, locate the Okta Advanced Server Access User profile, and click Mappings. Create a mapping from the Okta user attribute that you created in step 1 to the Advanced Server Access attribute you created in step 3. See Map Okta attributes to app attributes in the Profile Editor.
Assign users or groups to Advanced Server Access
After you complete the previous steps, your attributes are configured and ready to use. New users assigned to Advanced Server Access include these attributes. See Assign applications to users.
Assign project-level attribute overrides
Sometimes an AD account differs across environments. In cases like this, you can override their account attribute on a per-project basis. See Set project-level attribute overrides.