When you install the Okta AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. or the needs of your business change, you define how user data is managed and updated.
- On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations.
- Click Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. and then click the Settings tab.
- Scroll to Create Users and click Enable.
Enabling Create Users lets Okta create users in Active Directory (AD). This allows you, for example, to import users from an HR system, create the users in Okta, and then have Okta create the users in AD. The HR system is the master, with Okta and AD being updated based on changes in the HR master. Or, another use case may include Okta being the source of truth for all user information and pushing those updates into AD.
To implement this functionality, you first need to create a group in Okta and then assign that group to your AD instance. When users are added to the group, they are also created in AD. A common scenario is to use group rules in this kind of flow to add users to the AD provisioning group automatically.
- In the Activation email recipient field, enter the email address of the Okta admin who receives activation emails with the Okta user's password. The admin is responsible for giving the end user their Okta password.
- In the AD username format list, select the format for the AD username:
- Custom — Select this option to use a custom AD user name. Enter the Okta expression language to map the define the user name format. To validate your mapping expression, enter a user name and click the view icon. See Modify attributes with expressions.
- Email — Select this option to use an email address for the AD user name.
- Email prefix — Select this option to use an email prefix for the AD user name.
- From Okta username — Select this option to use the Okta to generate the AD user name from the Okta user name.
- LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. UID + custom suffix — Select this option to use the LDAP user ID and a custom suffix as the AD user name.
- Okta username — Select this option to use the Okta user name as the AD user name.
- Okta username prefix — Select this option to use the Okta user name prefix as the AD user name.
- Click Enable next to Update User Attributes to update a user's attributes in AD when an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. is assigned. Future attribute changes made to the Okta user profile automatically overwrite the corresponding attribute value in AD. See Enable Okta-mastered user Organizational Unit updates.
This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, contact Okta Support.
Select Update OUAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. when the group that provisions a user to AD changes to update an Okta-mastered user's organizational unit (OU) when the group that provisions a user to AD changes.
If an Okta-mastered user's OU changes in AD, that change will not be reflected in Okta since Okta is the master for that user. The next time the user is update in Okta, they will be provisioned back to the OU as set in Okta.
Warning:When Profile Push is enabled, Okta will update the CN attribute in AD. If there is a mapping defined for the cn property in the Profile Editor that mapping is applied. If there is no mapping or if the behavior for the CN mapping is set to Do not map then the CN is set to First Name + " " + Last Name.
Click Enable next to Deactivate Users to deactivate a user's AD account when it is unassigned in Okta or their Okta account is deactivated.
Click Enable next to Profile MasterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering. to make AD the identity authority for connected users. When selected, user profiles are not editable in Okta and changes are synchronized to Okta during provisioning events.
In the When a user is deactivated in the app list, select one of these options:
- Do Nothing — Select this option to keep the user account active.
- Deactivate the Okta user — Select this option to automatically deactivate the Okta user when they are deactivated in the target app.
- Suspend Okta User — Select this option to automatically suspend the Okta user when they are deactivated in the target app.
For When a user is reactivated in the app, select one of these options:
- Reactivate suspended Okta users — Select this option to reactivate a suspended Okta user when they are reactivated in the app.
- Reactivate deactivated Okta users — Select this option to reactivate a deactivated Okta user when they are reactivated in the app.
Click Enable next to Sync Password to make a user's AD password the same as their Okta password.
Click Save Settings.