Plan your LDAP integration

You use the Okta LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. to integrate Okta with your LDAP instance. LDAP integration lets end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. authenticate to Okta using their LDAP credentials without replicating those credentials into the cloud. LDAP integration helps your organization leverage its existing identity directory investment and controls access to Okta-protected resources.

Supported directories

Okta integrates with most LDAPv3 directories. To learn about the specific requirements for your directory, select one of these links:

Supported features

These tables lists the features supported by LDAP integrations.

Feature Supported? Description
Delegated AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. No

Ability to authenticate user credentials through LDAP for access into Okta, without performing group and profile information.

Note: LDAP does support JIT authentication which enables Delegated Authentication with LDAP including updates to group and profile information.

JIT Authentication Yes Ability to authenticate user credentials through LDAP for access into Okta, and update group memberships and profile information before access. For more information, see Add and update end users with Just In Time provisioning.
InstanceAn instance, or computer instance, is a virtual machine (VM) or individual physical computer, used to host a software appliance.-level JIT and Delegated Authentication No Ability to delegate authentication on a per LDAP-instance level to support more granular authentication scenarios.
User import from Directory Yes Ability to import user and group details from the directory into Okta. AD supports both full import (full data import) and incremental import (only import changes since last import). For more information, see Import Settings in Install and configure the Okta LDAP Agent.
Import filter - OUAn acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority./container selection No Ability to filter users and groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. based by specifying an LDAP filter and selecting OUs.
Provision to Directory Yes Ability to provision user and group details down to LDAP. LDAP supports pushing users, password, and groups down to LDAP from Okta. For more information, see LDAP Configuration and Import Settings in Install and configure the Okta LDAP Agent.
Self-Service PW Reset Yes Ability to reset LDAP password via Okta. For more information, see Manage users and Enable self-service registration.
PW Sync Yes Ability to sync AD and Okta password. Read this for more info: Synchronize passwords from Okta to Active Directory
Password Policy
Minimum Length Yes See Security Policies for more info on these.
Complexity Requirements No See Security Policies for more info on these.
Common Password Check No See Security Policies for more info on these.
Enforce password history for last < X > passwords No See Security Policies for more info on these.
Password expires after < X > days No See Security Policies for more info on these.
Prompt user < X > days before password expires No See Security Policies for more info on these.
Lock out user after < X > unsuccessful attempts No See Security Policies for more info on these.
Lock out user after < X number of > minutes No See Security Policies for more info on these.
Show lock out failures No See Security Policies for more info on these.
Send lock out email to user No See Security Policies for more info on these.
Password Soft Lock No Ability to lock the Okta account of LDAP-mastered users via password policies, without triggering a lock of the user's LDAP account.
Password Reset
Self-service recovery options: Email Yes Ability to reset the password through email. For more information, see Factor Type Overview and Configuration in Multifactor Authentication .
Self-service recovery options: SMS Yes Ability to reset the password through a code sent through text message. For more information, see Enable end user self-service password reset using SMS in Manage users.
Self-service recovery options: Voice Call No Ability to reset the password through a code sent through voice call.
Reset, Unlock recovery emails are valid for < X > minutes No Ability to configure how long recovery email tokens are valid for.
Additional self-service recovery option: Secret questions No Ability to reset the password through security questions.
Infrastructure
Multiple agent polling threads No Ability to increase polling threads on the agent. Increases how many requests the agent can handle per second per thread. For more information, see Change the number of Okta Active Directory (AD) agent threads

Known limitations

Feature Comments
LDAP Connection

The LDAP agent is supported with all LDAP v3 servers (RFC 4510 compliant). It has been tested with the following:

Notable known directories or features not supported via LDAP agent:

  • AD DS (Active Directory) — use the Okta AD agent.
  • Novell eDirectory.
Scenarios
  • Object Lifecycle Management
  • Group Management
  • Password Management

Notable features not supported by the LDAP Agent:

  • Group Password Policy
  • Per-instance Delegated Authentication (more info about what this means here)
  • Group Push

Note: The Okta LDAP agent is not recommended for large-scale LDAP migrations.

Operations

The following operations are supported on all LDAP directories:

  • Full Import
  • User provisioning

The following operations are only supported on specified directories:

  • Incremental Imports
  • Set Password
  • Change Password
Schema
  • The LDAP agent automatically detects user schema based on the user objectClass specified
  • Supports structural classes, auxiliary classes for users

Incremental imports and password management

Okta only supports time stamp-based change tracking. To identify changes made since the last import, the agent uses modifyTimestamp. If your directory supports modifyTimestamp, incremental imports work.

This table identifies support for incremental imports by directory type:

Directory Incremental Import
Active Directory Lightweight Directory Services (AD LDS) Not supported. AD LDS uses usnChanged as the change tracking attribute
OpenDJ Supported
OpenDS Supported
OpenLDAP Supported
Oracle Internet Directory (OID) Supported
IBM Tivoli DS Supported
Sun One LDAP 5.2+, 6.x and 7.x Supported
RadiantOne Directory 7.1 Supported
Top