Delegated authentication with Active Directory
When Okta is integrated with an Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) instance, delegated authentication is enabled by default. With delegated authentication, this is what happens when users sign in to Okta:
- The user enters their username and password in the Okta end user home page. This sign in page is protected with SSL and a security image to prevent phishing; multi-factor authentication (extra security question or smart phone soft token) can also be enabled.
- The username and password are transmitted over the SSL connection implemented during setup to an Okta Active Directory (AD) agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. running behind a firewall.
- The Okta AD agent passes the user credentials to the AD domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). controller for authentication.
- The AD domain controller validates the username and password and uses the Okta AD agent to return a yes or no response to Okta.
- A yes response confirms the user's identity and they are authenticated and sent to their Okta homepage.
To provide high availability and failover protection, the installation of two or more Okta AD agents on separate servers in each domain is recommended. If an Okta AD agent stops running or loses network connectivity, authentication requests are automatically routed to other Okta AD agents.
Delegated authentication maintains persistence for your directory authenticated (DelAuth) sessions and AD is maintained as the immediate and ultimate source for credential validation. As AD is responsible for authenticating users, changes to a user’s status (such as password changes or deactivations) are immediately pushed to Okta.