Enable universal security group support

In Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD), universal security groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. (USGs) are most often used to assign permissions to related resources in multiple domains. Members from any domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). can be added and you can assign permissions for access to resources in any domain. An Okta AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. must be installed in every domain in your forest that contains the USG object that you want to synchronize with Okta. When you enable USG support, domain boundaries are ignored when you import group memberships for your users.

When a user's group memberships match any imported groups from connected domains in a forest, Okta synchronizes the memberships for the user to each group. USGs provide greater control of group imports from on-premises apps to Okta. Only groups from connected domains are imported.

  1. On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations.
  2. Select an Active Directory instance and click the Settings tab.
  3. Scroll down and select the Universal Security Group Support check box.
  4. Scroll down and click Save Settings.
Top