Application password synchronization

Okta uses standard APIs to synchronize passwords with cloud and on-premises applications when they are available. When APIs are used for password synchronization, the Okta Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. Password Sync agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. is not required.

Okta pre-built integrations let you take advantage of password synchronization API functionality without the need to write custom scripts. If you have a custom integration or you are using an on-premises agent, you might need the assistance of Okta professional services to implement password synchronization.

When Okta to Application - Sync Okta Password is enabled, the default behavior is to synchronize the existing password. The Okta password is the password used to sign on to Okta.

If you have configured Okta to use delegated authentication with Active Directory or LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services., the password used to sign on to Okta is the Active Directory or LDAP password. Okta uses the application API to synchronize the Active Directory or LDAP password to the application. The password is stored as the application password.

If you are not using delegated authentication, the password used to access Okta is stored and managed in Okta. Okta uses the application API to synchronize the password to the application.

These events activate password synchronization:

  • Resetting an Okta mastered password
  • Signing in to Okta
  • Delegated authentication sign on to Okta

Random new password synchronization

With some applications such as Google Suite, Salesforce, and Atlassian JIRA, you can use Okta to create and assign passwords when a user first accesses the application. The Password Sync Agent is not required for this functionality.

These events activate sync random new password:

  • Import triggered or group-based application assignment
  • Assigning a user to the application manually

An Okta generated password is 16 characters long with randomly-applied upper/lower case letters and numbers. To ensure a successful sync between Okta and the appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., the Okta randomly-generated password should comply with the app's minimum password complexity requirements. If the Okta randomly-generated password doesn't comply with the app's minimum policy, an error displays on the Okta Tasks page (Dashboard > Tasks). In such cases, Okta can, upon request, change the password policy on an per-app basis to match that app's minimum policy.

Password cycle synchronization

With this option, a new random password is created whenever the user changes their Okta password. The password that is synchronized is not the Okta password or a directory password. It is a new, random password that is activated by an Okta password reset. The password is generated and stored in Okta and pushed to the application using the application API. The Password Sync Agent is not required for this functionality.

These events activate a password cycle:

  • Import triggered or group-based application assignment
  • Administrator initiated password change (Okta or delegated authentication)
  • User initiated password change or recovery (Okta or delegated authentication)

Mobile password synchronization

With Okta to mobile synchronization, the password is synchronized to the application clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. on the mobile device. This functionality is only available for iOS and Android native mail clients that are configured with Okta Mobility Management (OMMAn acronym for Okta Mobility Management. OMM enables you to manage your users' mobile devices, applications, and data. Your users enroll in the service and can then download and use managed apps from the Apps Store. Managed apps are typically work-related, such as Box or Expensify. As an administrator, you can remove managed apps and associated data from users' devices at any time. You can configure policies, such as data sharing controls, on any of your managed apps. See Configuring Okta Mobility Management for more information.). The Password Sync Agent is not required for this functionality.

These events activate an Okta to mobile synchronization:

For mobile workflows, AD password resets from the Active Directory Password Sync agent do not require sync password to be enabled. Reset password notifications trigger the distribution of an updated Exchange ActiveSync (EAS) email configuration to the corresponding devices enrolled in Okta Mobility Management (OMM). In such cases where sync password is not enabled for any application, the encrypted AD password is removed from Okta after pushing it to the device. For devices enrolled in Okta Mobility Management (OMM), sync password does not need to be enabled.

Synchronize Okta passwords or random passwords to provisioning enabled applications

Push a user's Okta password or a random password to provisioning-enabled apps during initial Okta set up or when the user's Okta password changes.

  1. On the Okta Admin Console, click Applications > Applications.
  2. Click an application and then the ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. tab.
  3. In the Settings list, click To App.
  4. Click Edit.
  5. Scroll down to the Sync Password section and click Enable.
  6. Configure these settings:
  • Sync a randomly generated password — Select this option to push a unique, randomly generated password to each app user at setup. This is designed to prevent theft of a single Okta password from compromising an entire organization. Users receive a notification on their Home page that a random password was generated.

Note: If you select this option, you should enable the Reveal Password feature to allow end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. to see the password (Applications> Applications > Sign On > Settings > Credential Details).

  • Sync Okta Password — This option pushes a users Okta password to all app users during initial setup.
  • Password cycle — Select this option to generate a random password whenever the user's Okta password changes and ensure that a change in a user's Okta password generates and syncs a new random password to the app.

Note: Users may need to update their password on any device where they've installed this app.

  • Reset All <App> Passwords — Select this option to reset the passwords of all app users.
  1. Click Save.

Synchronize Okta passwords to Active Directory and to provisioning enabled applications

  1. On the Okta Admin Console, click Directory > Directory Integrations > Active Directory > Provisioning.
  2. In the SETTINGS list, click Integration.
  3. Scroll down and clear the Enable delegated authentication to Active Directory check box. This transfers password mastering from AD to Okta.
  4. Click Save.
  5. Select Create Okta password (recommended).
  6. Click Disable AD AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect..
  7. In the SETTINGS list, click To App, click Edit, scroll to the Sync Password section and select Enable.
  8. Click Save.
  9. Configure these settings:
  • Sync a randomly generated password — Select this option to push a unique, randomly generated password to each app user at setup. This is designed to prevent theft of a single Okta password from compromising an entire organization. Users receive a notification on their Home page that a random password was generated.

Note: If you select this option, you should enable the Reveal Password feature to allow end users to see the password (Applications> Applications > Sign On > Settings > Credential Details).

  • Sync Okta Password — This option pushes a users Okta password to all app users during initial setup.
  • Password cycle — Select this option to generate a random password whenever the user's Okta password changes and ensure that a change in a user's Okta password generates and syncs a new random password to the app.

Note: Users may need to update their password on any device where they've installed this app.

  • Reset All <App> Passwords — Select this option to reset the passwords of all app users.
  1. Click Save
Top