This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.

Connecting to Okta using the LDAP Interface


The LDAP Interface allows cloud-based LDAP authentication against UD instead of an LDAP server or Active Directory (AD). Because these apps are authenticated against UD, it allows Okta to control access and centralize credentials for applications that support the LDAP authentication protocol.

The LDAP Interface is a cloud proxy that consumes LDAP commands and translates them to Okta API calls, providing a straightforward path to authenticate legacy LDAP apps in the cloud. This also enables you to centralize and manage all your LDAP resources (policies, usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control., apps) within Okta. You can also add seamless MFA with Okta Verify Push to your LDAP apps, providing an extra layer of security.

With typical LDAP integrations, a physical Okta LDAP agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. is required. The LDAP Interface allows you to connect LDAP applications to Okta's Universal Directory without installing and maintaining physical LDAP agents:

How is this different from Okta's LDAP Agent?

The LDAP agent is meant to synchronize identities to or from an existing LDAP directory. The LDAP interface, on the other hand, allows you to migrate certain apps off of unnecessary LDAP or AD servers and onto Okta.

But in certain cases, you may not be in a position to deprecate your LDAP or AD servers, in which case synchronization may be the more pragmatic solution. Additionally, unlike the LDAP interface which Okta manages in the cloud, the LDAP agent usually has to be deployed inside your firewall.

With the LDAP interface, authentication is done directly against Okta. In addition, the LDAP interface supports other LDAP functions like search.

All the authentication policies for the LDAP interface go through the Okta sign on policy. If you want to require that LDAP apps use MFA you can set up specific network zones for the LDAP apps that will be connecting to Okta and MFA policies for those zones. Then any connections coming from those LDAP apps will be required to use MFA. You can also do the reverse and use policies to prevent MFA from being required when accessing LDAP apps.

Top