Configure LDAP to Okta provisioning settings

After installing and configuring the Okta LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations., you can use this procedure to update your LDAP to Okta provisioning settings as the needs of your orgThe Okta container that represents a real-world organization. change. The LDAP to Okta provisioning settings define how LDAP user data is shared and manged with Okta.

  1. On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations.
  2. Select the LDAP agent from the list of directories.
  3. Click the ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. tab and select To Okta in the SETTINGS list.
  4. Click Edit and complete the following settings:
    • Schedule import – Select the frequency for importing users from LDAP to Okta.
    • Okta username format – Specify a username format. When you import users from LDAP, Okta uses this attribute to generate the Okta username. When you access Import Settings during LDAP setup, the username format matches the option you selected when you tested the configuration and you should not need to change it. You can also access this page later and select another option, if necessary. Note that Okta requires user names to be in email format, so ensure the selected option is appropriate for your environment.
    • Update application user name on — This setting cannot be changed.
    • Max Import Unassignment — If an unusual number of appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. unassignments occurs during an import, Okta triggers an alert to warn against the unintended deprovisioning of a large number of apps from users within an org. The Import Safeguard feature stops the import and suspends subsequent imports.For more details, see Import safeguards.
    • Activation emails — Select if you don't want to send new user activation emails.
    • Incremental import — Select to only import users that were created or updated since your last import. Matching rules are only evaluated on these users. This is the type of import performed by scheduled imports.
    • Decimal place
    • Maximum clock skew  — Incremental import relies on the modifyTimestamp attribute to determine whether an LDAP entry has been imported. However, the system clock on some on-premises LDAP servers could go backward, causing some updates to be missed. To prevent missed updates, set the clock skew to a value that is the maximum potential clock drift of the server. To improve the performance of incremental import, the modifyTimestamp attribute should be indexed on your LDAP server.
  5. Click Save.
  6. To define your User Creation & Matching settings, click Edit and complete the following settings:
    • Matching rules are used in the import of users from all apps and directories that allow importing. Establishing matching criteria allows you to specify how an imported user should be defined as a new user or mapped to an existing Okta user.
    • Imported user is an exact match to Okta user if: Select the match criteria that establishes whether an imported user exactly matches an existing Okta user. Choose any combination from the list of options to establish your criteria. For the new imported user to be considered an exact match, each option that you select must be true. Note that if you choose the third option, the first and second choices are disabled.
    • Allow partial matches: Partial matching occurs when the first and last name of an imported user matches that of an existing Okta user, but the user’s username or/and email address do not.
    • Confirm matched users: Select to automate the confirmation or activation of existing users. Unchecked, matches must be confirmed manually.
    • Confirm new users: Select to automate the confirmation or activation of a newly imported user. If this option is selected, you can uncheck it during import confirmation. Note that this feature does not apply for users who already exist in Okta.
    • For information on deprovisioning, see Provisioning and Deprovisioning Overview.
  7. Click Save.
  8. To define your Profile & Lifecycle Mastering settings, click Edit and complete the following settings:
    • When a user is reactivated in the app: Specify what action Okta should take if the user's account is reactivated in Okta.
      • Reactivate suspended Okta users — Reactivate suspended Okta users if they are reactivated in LDAP.
      • Reactivate deactivated Okta users — Reactivate deactivated Okta users if they are reactivated in LDAP.

  9. Click Save.