Application password synchronization

Okta uses standard APIs to synchronize passwords with cloud and on-premises applications when they are available. When APIs are used for password synchronization, the Okta Active Directory Password Sync agent is not required.

Okta pre-built integrations let you take advantage of password synchronization API functionality without the need to write custom scripts. If you have a custom integration or you are using an on-premises agent, you might need the assistance of Okta professional services to implement password synchronization.

When Okta to Application - Sync Okta Password is enabled, the default behavior is to synchronize the existing password. The Okta password is the password used to sign on to Okta.

If you have configured Okta to use delegated authentication with Active Directory or LDAP, the password used to sign on to Okta is the Active Directory or LDAP password. Okta uses the application API to synchronize the Active Directory or LDAP password to the application. The password is stored as the application password.

If you are not using delegated authentication, the password used to access Okta is stored and managed in Okta. Okta uses the application API to synchronize the password to the application.

These events activate password synchronization:

  • Resetting an Okta mastered password
  • Signing in to Okta
  • Delegated authentication sign on to Okta

Random new password synchronization

With some applications such as Google Suite, Salesforce, and Atlassian JIRA, you can use Okta to create and assign passwords when a user first accesses the application. The Password Sync Agent is not required for this functionality.

These events activate sync random new password:

  • Import triggered or group-based application assignment
  • Assigning a user to the application manually

An Okta generated password is 16 characters long with randomly-applied upper/lower case letters and numbers. To ensure a successful sync between Okta and the app, the Okta randomly-generated password should comply with the app's minimum password complexity requirements. If the Okta randomly-generated password doesn't comply with the app's minimum policy, an error displays on the Okta Tasks page (Dashboard > Tasks). In such cases, Okta can, upon request, change the password policy on an per-app basis to match that app's minimum policy.

Password cycle synchronization

With this option, a new random password is created whenever the user changes their Okta password. The password that is synchronized is not the Okta password or a directory password. It is a new, random password that is activated by an Okta password reset. The password is generated and stored in Okta and pushed to the application using the application API. The Password Sync Agent is not required for this functionality.

These events activate a password cycle:

  • Import triggered or group-based application assignment
  • Administrator initiated password change (Okta or delegated authentication)
  • User initiated password change or recovery (Okta or delegated authentication)

Mobile password synchronization

With Okta to mobile synchronization, the password is synchronized to the application client on the mobile device. This functionality is only available for iOS and Android native mail clients that are configured with Okta Mobility Management (OMM). The Password Sync Agent is not required for this functionality.

These events activate an Okta to mobile synchronization:

  • User initiated password change or recovery (Okta or delegated authentication)
  • Admin initiated password change (Okta or delegated authentication)
  • Import triggered / Group based app assignment

For mobile workflows, AD password resets from the Active Directory Password Sync agent do not require sync password to be enabled. Reset password notifications trigger the distribution of an updated Exchange ActiveSync (EAS) email configuration to the corresponding devices enrolled in Okta Mobility Management (OMM). In such cases where sync password is not enabled for any application, the encrypted AD password is removed from Okta after pushing it to the device. For devices enrolled in Okta Mobility Management (OMM), sync password does not need to be enabled.

Synchronize Okta passwords or random passwords to provisioning enabled applications

Push a user's Okta password or a random password to provisioning-enabled apps during initial Okta set up or when the user's Okta password changes.

  1. On the Okta Admin Console, click Applications > Applications.
  2. Click an application and then the Provisioning tab.
  3. In the Settings list, click To App.
  4. Click Edit.
  5. Scroll down to the Sync Password section and click Enable.
  6. Configure these settings:
  • Sync a randomly generated password — Select this option to push a unique, randomly generated password to each app user at setup. This is designed to prevent theft of a single Okta password from compromising an entire organization. Users receive a notification on their Home page that a random password was generated.

Note: If you select this option, you should enable the Reveal Password feature to allow end users to see the password (Applications> Applications > Sign On > Settings > Credential Details).

  • Sync Okta Password — This option pushes a users Okta password to all app users during initial setup.
  • Password cycle — Select this option to generate a random password whenever the user's Okta password changes and ensure that a change in a user's Okta password generates and syncs a new random password to the app.

Note: Users may need to update their password on any device where they've installed this app.

  • Reset All <App> Passwords — Select this option to reset the passwords of all app users.
  1. Click Save.

Synchronize Okta passwords to Active Directory and to provisioning enabled applications

  1. On the Okta Admin Console, click Directory > Directory Integrations > Active Directory > Provisioning.
  2. In the SETTINGS list, click Integration.
  3. Scroll down and clear the Enable delegated authentication to Active Directory check box. This transfers password mastering from AD to Okta.
  4. Click Save.
  5. Select Create Okta password (recommended).
  6. Click Disable AD Authentication.
  7. In the SETTINGS list, click To App, click Edit, scroll to the Sync Password section and select Enable.
  8. Click Save.
  9. Configure these settings:
  • Sync a randomly generated password — Select this option to push a unique, randomly generated password to each app user at setup. This is designed to prevent theft of a single Okta password from compromising an entire organization. Users receive a notification on their Home page that a random password was generated.

Note: If you select this option, you should enable the Reveal Password feature to allow end users to see the password (Applications> Applications > Sign On > Settings > Credential Details).

  • Sync Okta Password — This option pushes a users Okta password to all app users during initial setup.
  • Password cycle — Select this option to generate a random password whenever the user's Okta password changes and ensure that a change in a user's Okta password generates and syncs a new random password to the app.

Note: Users may need to update their password on any device where they've installed this app.

  • Reset All <App> Passwords — Select this option to reset the passwords of all app users.
  1. Click Save