Configure LDAP to Okta provisioning settings
After installing and configuring the Okta LDAP agent, you can use this procedure to update your LDAP to Okta provisioning settings as the needs of your org change. The LDAP to Okta provisioning settings define how LDAP user data is shared and manged with Okta.
- In the Admin Console, go to Directory > Directory Integrations.
- Select the LDAP agent from the list of directories.
- Click the Provisioning tab and select To Okta in the SETTINGS list.
- Click Edit and complete the following settings:
- Schedule import – Select the frequency for importing users from LDAP to Okta.
- Okta username format – Specify a username format. When you import users from LDAP, Okta uses this attribute to generate the Okta username. When you access Import Settings during LDAP setup, the username format matches the option you selected when you tested the configuration and you should not need to change it. You can also access this page later and select another option, if necessary. User names must be in email format, so ensure the selected option is appropriate for your environment.
You can use custom expressions to create usernames for imported users, but the custom expression is not considered when the search query used to locate accounts in LDAP during Just-in-Time (JIT) provisioning is determined. If you set the Okta username format field to Custom, enable JIT provisioning, and a LDAP user account does not exist, the LDAP directory is searched for the unique identifier (uid) or the email (mail) attribute that matches the username used to sign in to Okta.
- Update application user name on — This setting cannot be changed.
- Max Import Unassignment — If an unusual number of app unassignments occurs during an import, Okta triggers an alert to warn against the unintended deprovisioning of a large number of apps from users within an org. The Import Safeguard feature stops the import and suspends subsequent imports.For more details, see About import safeguards.
- Activation emails — Select if you don't want to send new user activation emails.
- Incremental import — Select to only import users that were created or updated since your last import. Matching rules are only evaluated on these users. This is the type of import performed by scheduled imports.
- Decimal place
- Maximum clock skew — Incremental import relies on the modifyTimestamp attribute to determine whether an LDAP entry has been imported. However, the system clock on some on-premises LDAP servers could go backward, causing some updates to be missed. To prevent missed updates, set the clock skew to a value that is the maximum potential clock drift of the server. To improve the performance of incremental import, the modifyTimestamp attribute should be indexed on your LDAP server.
- Click Save.
- To define your User Creation & Matching settings, click Edit and complete the following settings:
Matching rules are used in the import of users from all apps and directories that allow importing. Establishing matching criteria allows you to specify how an imported user should be defined as a new user or mapped to an existing Okta user.
Imported user is an exact match to Okta user if: Select the match criteria that establishes whether an imported user exactly matches an existing Okta user. Choose any combination from the list of options to establish your criteria. For the new imported user to be considered an exact match, each option that you select must be true. Note that if you choose the third option, the first and second choices are disabled.
Allow partial matches: Partial matching occurs when the first and last name of an imported user matches that of an existing Okta user, but the user’s username or/and email address do not.
Confirm matched users: Select to automate the confirmation or activation of existing users. Unchecked, matches must be confirmed manually.
Confirm new users: Select to automate the confirmation or activation of a newly imported user. If this option is selected, you can uncheck it during import confirmation. Note that this feature does not apply for users who already exist in Okta.
For information on deprovisioning, see Provisioning and Deprovisioning Overview.
- Click Save.
- To define your Profile & Lifecycle Mastering settings, click Edit and complete the following settings:
- Allow LDAP to master Okta users — This option is enabled by default. Profile mastering makes LDAP the identity authority for connected users. When enabled, user profiles are not editable in Okta and changes are synced to Okta during provisioning events. You can disable this option to have LDAP treated as a normal application. If you disable this feature, user updates you perform in LDAP are not pushed back to the user in Okta. For example, if you change a user's name in LDAP , the change does not affect the Okta user. If you disable LDAP as the profile master, you cannot reset a user's LDAP password in Okta because their credentials are still being managed by LDAP. You can, however, disable Delegated Authentication (see here) and enable the Sync Password option to push passwords to LDAP. This means that your users have their delegated Okta password, but any subsequent password updates are pushed to LDAP.
- When a user is deactivated in the app — Specify what action Okta should take if the user's account is deactivated in Okta.
- Do nothing — No action is taken.
- Deactivate — Deactivates users' LDAP account when they are unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta.
- Suspend — Suspends users' LDAP account when they are unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta.
- When a user is reactivated in the app: Specify what action Okta should take if the user's account is reactivated in Okta.
- Reactivate suspended Okta users — Reactivate suspended Okta users if they are reactivated in LDAP.
- Reactivate deactivated Okta users — Reactivate deactivated Okta users if they are reactivated in LDAP.