Active Directory integration known issues

The following are the known issues with Active Directory (AD) integrations:

  • If you're using a custom URL:

    • Agents: Use the actual domain (example.okta.com) and not the custom domain (example.customname.com).
    • IWA SSO: Modify the web.config file to include the custom url.
      <oktaSSOConfigGroup>
      <oktaSSOConfig orgOktaAuthenticationURL="https://example.customname.com/login/sso_iwa_auth"
      orgBackupOktaAuthenticationURL="https://example.customname.com/login/default"
      oktaSSOWebAppVersion="1.11.5.0">

    • Agentless DSSO: Make sure that all sign-in flows and browser bookmarks use the correct URL.
  • When you add a new attribute to an AD domain, restart every Okta AD agent connected to the domain. If an Okta AD agent isn't restarted, an Active Directory restriction causes the AD agents to base-64 encode the new attribute's values.
  • When renaming an AD domain, uninstall the Okta AD agent before you start the renaming process. When you complete the renaming process, reinstall the Okta AD agent with the new domain name. A renamed domain appears as a new AD app instance in Okta.
  • Sometimes, group membership information for AD-sourced users that is imported into Okta during Just-In-Time (JIT) provisioning isn't removed by full or incremental imports. Subsequent JIT or profile updates are required to update group membership information.
  • When the provisioning settings indicate Do nothing when users are deactivated, users remain active in Okta. When a single source provides user profile attributes, deactivated users are disconnected from the source and Okta becomes the source for user profile attributes.
  • When there's a large number of JIT-enabled directory integrations, JIT performance can degrade and cause the JIT request to fail with a timeout while searching for a user in all these directories.

    There are several factors that can contribute to JIT's performance degradation such as the performance of the on-prem agents and on-prem directory servers and the Okta service. If you experience any persistent issues, visit the Okta Help Center.

  • When Deactivate Users is disabled on the Provisioning tab, users that are deactivated from AD and reactivated in Okta through JIT provisioning don’t have Distribution Groups assigned to them. To resolve this, deactivate the user from AD and perform a full import.

Related topics

Configure a custom domain