Configure Okta to LDAP provisioning settings
After installing and configuring the Okta LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations., you can use this procedure to update your Okta to LDAP provisioning settings as the needs of your orgThe Okta container that represents a real-world organization. change. The Okta to LDAP provisioning settings define how Okta shares and updates user data on your LDAP instance.
- On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations.
- Select the LDAP agent from the list of directories.
Click the ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. tab and select To AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. in the SETTINGS list.
- Click Edit, and complete the following settings:
- Create Users — Selecting Enable creates or links a user in LDAP for members of groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. in Okta where LDAP is assigned. If LDAP is the highest priority Profile MasterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering., Okta user profiles are automatically updated based on changes made to user profiles in LDAP.
- Activation email recipient — Enter the email address to which new LDAP account credentials are sent. The recipient is responsible for distributing the credential information to the appropriate user.
- RDN attribute name — Select the attribute type to be used for user Relative Distinguished Name (the leftmost portion of the user Distinguished Name).
You can customize the attribute value on the Profile Editor page.
If you set the RDN attribute to UID, you must map the attribute to the Okta userName attribute. The attribute type you select must be mapped correctly in Profile Editor for this LDAP instance, in the same direction for provisioning.
- Update User Attributes — Select Enable to allow Okta to update a user's attributes in LDAP when the app is assigned. Future attribute changes made to the Okta user profile automatically overwrite the corresponding attribute value in LDAP.
- Deactivate Users — Select Enable if you want to deactivate a user's LDAP account when it is unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to the user in Okta.
- Sync Password — Select Enable if you want each user's LDAP password to be synced to their Okta password. Any subsequent changes to a user's Okta password are pushed to the on-premise LDAP server. To enable this option, Delegated AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. must be disabled. Organizations using both Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) and LDAP can now synchronize their user passwords from AD through Okta to LDAP.
- Click Save.
The Attribute Mappings section lets you map LDAP attributes to Okta attributes. The attributes listed in the table are your LDAP attributes. To edit these mappings, click the edit icon. See Map profile attributesTop