Active Directory integration known issues

The following are the known issues with Active Directory (AD) integrations:

  • If you are using a custom URL:

    • Agents – Use the actual domain (example.okta.com) and not the custom domain (example.customname.com).
    • IWA SSO – Modify the web.config file to include the custom url.

      <oktaSSOConfigGroup>

      <oktaSSOConfig orgOktaAuthenticationURL="https://example.customname.com/login/sso_iwa_auth"

      orgBackupOktaAuthenticationURL="https://example.customname.com/login/default"

      oktaSSOWebAppVersion="1.11.5.0">

    • Agentless DSSO – Make sure that all sign-in flows and browser bookmarks use the correct URL.
  • When you add a new attribute to an AD domain, restart every Okta AD agent connected to the domain. If the Okta AD agents are not restarted, an Active Directory restriction causes the AD agents to base-64 encode the new attribute's values.
  • When renaming an AD domain, uninstall the Okta AD agent before you start the renaming process. When you complete the renaming process, reinstall the Okta AD agent with the new domain name. A renamed domain appears as a new AD app instance in Okta.