Import Active Directory users
There are several ways to import users from Active Directory (AD) into Okta.
Some key terms to understand:
Activate/Activation — When users are imported from AD an Okta account is created for this user. The Okta account and the AD account are bound together via the confirmation process. Since an Okta account is created during this process the Okta account has to be activated before it can be used.
Assign and unassign — In the context of Okta, users imported from AD became assigned to the AD appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. similar to any other app in Okta. When end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. are assigned to an app, they usually see the chiclet for the app on their Okta home page. AD users imported into Okta do not see an AD chiclet on their home page.
Import— This is the act of Okta reaching out to AD, asking for its users then bringing (importing) those users into Okta.
Match — When users are import form AD, Okta searches for an existing account in Okta based on the matching rules you have set. If it finds an account that matches the AD account it will match the users and confirm them: bind them together. If there is not a matching user, Okta creates a new user. For example: there is an AD account Jamesf, and in Okta there is an account named jamesf. Upon import Okta will see the AD jamesf and the Okta jamesf and match them. If there is no jamesf in Okta it will create one
Confirm match - This is the act of confirming the match. Some admins prefer to let this happen automatically, while others decide to manually match accounts as they come in. This is based on the confirmation settings you have chosen.
To import users from AD and activate their accounts, you must:
- Import users from AD using one of these methods. You can combine these methods if you need. For example, you can set an import schedule, but also do an "on demand" import if you've added new users in AD and want to import them into Okta immediately.
- Import AD users "on demand" — Import users manually if you do not want to wait for a scheduled import.
- Scheduled imports — Set a regular import schedule.
- Using JIT — Use Just in Time (JIT) provisioningusers are created/updated on the fly using the SAML attributes sent as part of the SAML response coming from the Identity Provider. The A user is created during initial login to the Service Provider and updated during subsequent logins. Turning on JIT Provisioning is normally a configuration value in the Service Provider., which imports users into Okta when they first sign in to Okta.
- Confirm imported users — Based on the matching rules you set, confirm that the imported AD users have been imported correctly.
- Activate user accounts — Activate the Okta user accounts and send the activation email with the user's password so they can log into Okta.
Before you can import users from AD, ensure you have installed and configured the AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations..
You can manually trigger an import when needed.
- Navigate to Directory > Directory Integration > Active Directory.
- Click the Import tab.
- Click Import Now.
- Select which type of import you want to do:
- Incremental import — Only imports Active Directory users that were created or updated since your last import. Matching rules are only evaluated on these users. This is the type of import performed by scheduled imports.
- Full import — Imports all new and existing Active Directory users. Matching rules are evaluated on all unconfirmed users. This is the type of import that occurs the first time you integrate Okta with Active Directory. Deleted users, and users moved out of the OUAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority., are deactivated in Okta only during Full Imports.
- Click Import.
- Your AD users are imported and a summary of the number of users and groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. imported displays. Click OK.
Determine how often you want Okta to import users from AD. Select Do not import new users to leverage scheduled imports to keep user profiles and groups in sync without importing new users from your directory. Use it when you only want to create new users in Okta via JIT, not via imports, but want to continue to use imports to sync groups and group memberships.
Note: Following a successful import, under specific conditions Okta automatically sends an email to designated administrators. The email details the number of users and groups scanned, added, updated, or removed during the import. Okta only sends the email if the scan detects any new users or groups, or changes to any existing user profile or group membership.
- Navigate to Directory > Directory Integration > Active Directory and open the AD instance.
- Click Settings.
Scroll to the Import and Provisioning section.
- Select the import frequency at the Schedule import field.
- Scroll to the bottom of the page. Click Save Settings.
Just In Time (JIT) provisioning enables automatic user account creation in Okta the first time a user authenticates with AD Delegated Authentication, Desktop SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones., or inbound SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated..
JIT account creation and activation only works for end users who are not already Okta end users. (JIT updates the accounts of existing end users during full imports.) This means that end users who are confirmed on the import results page, regardless of whether or not they were subsequently activated, are not eligible for JIT activation. When JIT is enabled, users do not receive activation emails.
When using JIT provisioning with AD users, the procedure depends on whether delegated authentication is enabled.
- If you have delegated authentication enabled, you do not need to import users from AD first for JIT provisioning to create Okta accounts.
- If you do not have delegated authentication enabled, you must import the AD accounts first, and they must appear on the imported users list for JIT provisioning to create Okta accounts.
To enable JIT, click Edit under Just In Time Provisioning, and then click Enable Just In Time Provisioning.
When users are imported from AD, Okta intelligently processes the results of the user import. Matching algorithms are applied to analyze the incoming AD users and to determine if there is a match to existing Okta users or to accounts that you have imported. During import and account creation, a duplicate account is created in Okta that mirrors (field mapping and data) and is associated with the imported AD account.
You must have OrgThe Okta container that represents a real-world organization. AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. permissions to perform this task.
To confirm the assignment of the AD imported user to the matching Okta user assignment:
- Navigate to Directory > Directory Integration > Active Directory > Import.
- Review the imported users and the matching Okta user assignments. Click the down arrow in the upper right-hand corner of the Okta user to modify the Okta user assignments as follows:
- New — If there is no existing match in Okta, the imported AD user is assigned to a new Okta user.
- Existing — You can match an imported AD user with an existing Okta user. Click Specify and begin typing the Okta username. A list of matching usernames displays. Select the correct user from the list.
- Ignore — You can opt to ignore this user. The user will not be assigned an Okta user assignment.
- Click Confirm Assignments to confirm the user assignments. You can confirm individual assignments or select all check boxes at once.
- The Confirm Imported Users Assignments dialog displays a summary of actions. Select Auto-activate users after confirmation if you want users to be activated immediately.
- Click Confirm. The assignments are processed. There should be no more records displayed in the Import Results pane.
After you have confirmed the user assignments, you will need to activate the users manually unless you have enabled JIT.
Activating user accounts in your organization changes their account status from Pending to Active. Active end users receive an email that steps them through the process of setting up their unique account within your org.
From the Okta People page you can view the status of each of your end users from the Status column (the far left column on the page). This column provides a view of the onboarding, active and inactive states for your users.
There are two ways to activate end users, depending on when their accounts were created:
- If the user already appears under your Person & Username list and they are pending activation, you can activate them simply by clicking the Activate link, found in the Status column directly across from their name.
- To activate one or more people who have been recently added, do the following:
- From the More Actions menu, click Activate. The Activate People page appears.
- From the list of users, select the users you want to activate and click Activate Selected. Or, click Activate All to activate everyone that appears on the list.
- An Activate People dialog appears. Click Activate to activate the chosen end users, or click Cancel. When activated, each user appears as Active in the Status column.
An email is sent to each user's primary or secondary email address, informing them that their accounts are active. Once active, they can access all the provisioned applications assigned to them.
You can also bulk activate users whose status is Pending Activation. To bulk-activate users, navigate to Directory > People and click Pending Activation. Click Bulk Activate at the top of the lists of users.
If you reactivate a person who was previously deactivated, the user is re-imported, but their apps remain unassigned.
If you are configuring your Okta org and have just imported users for the first time, you will need to perform the following tasks:
- Understand how Okta user profiles and attributes work:
- Customize your AD/Okta user profile attributes