Application password synchronization

Okta uses standard APIs to synchronize passwords with cloud and on-premises applications when they're available. When APIs are used for password synchronization, the Okta Active Directory Password Sync agent isn't required.

Okta pre-built integrations let you take advantage of password synchronization API functionality without the need to write custom scripts. If you have a custom integration or you're using an on-premises agent, you might need the assistance of Okta professional services to implement password synchronization.

When Okta to Application - Sync Okta Password is enabled, the default behavior is to synchronize the existing password. The Okta password is the password used to sign on to Okta.

If you have configured Okta to use delegated authentication with Active Directory (AD) or LDAP, the password used to sign in to Okta is the Active Directory or LDAP password. Okta uses the application API to synchronize the Active Directory or LDAP password to the application. The password is stored as the application password.

If you're not using delegated authentication, the password used to access Okta is stored and managed in Okta. Okta uses the application API to synchronize the password to the application.

These events activate password synchronization:

  • Resetting an Okta-sourced password
  • Signing in to Okta
  • Delegated authentication sign in to Okta

Random new password synchronization

With some applications such as Google Suite, Salesforce, and Atlassian JIRA, you can use Okta to create and assign passwords when a user first accesses the application. The Password Sync Agent isn't required for this functionality.

These events activate sync random new password:

  • Import-triggered or group-based application assignment
  • Manual assignment of a user to the application

An Okta-generated password is 16 characters long with randomly-applied upper/lower case letters and numbers. To ensure a successful sync between Okta and the app, the Okta randomly-generated password should comply with the app's minimum password complexity requirements. If the Okta randomly-generated password doesn't comply with the app's minimum policy, an error displays on the Okta Tasks page (DashboardTasks). In such cases, Okta can, upon request, change the password policy on a per-app basis to match that app's minimum policy.

Password cycle synchronization

With this option, a new random password is created whenever the user changes their Okta password. The password that is synchronized isn't the Okta password or a directory password. It's a new, random password that's activated by an Okta password reset. The password is generated and stored in Okta and pushed to the application using the application API. The Password Sync Agent isn't required for this functionality.

These events activate a password cycle:

  • Import- triggered or group-based application assignment
  • Administrator-initiated password change (Okta or delegated authentication)
  • User-initiated password change or recovery (Okta or delegated authentication)

Mobile password synchronization

With Okta to mobile synchronization, the password is synchronized to the application client on the mobile device. This functionality is only available for iOS and Android native mail clients that are configured with Okta Mobility Management (OMM). The Password Sync Agent isn't required for this functionality.

These events activate an Okta to mobile synchronization:

  • User-initiated password change or recovery (Okta or delegated authentication)
  • Admin-initiated password change (Okta or delegated authentication)
  • Import-triggered / Group-based app assignment

For mobile workflows, AD password resets from the Active Directory Password Sync agent don't require sync password to be enabled. Reset password notifications trigger the distribution of an updated Exchange ActiveSync (EAS) email configuration to the corresponding devices enrolled in Okta Mobility Management (OMM). In such cases where sync password isn't enabled for any application, the encrypted AD password is removed from Okta after pushing it to the device. For devices enrolled in Okta Mobility Management (OMM), sync password doesn't need to be enabled.

Synchronize Okta passwords or random passwords to provisioning enabled applications

Push a user's Okta password or a random password to provisioning-enabled apps during initial Okta setup or when the user's Okta password changes.

Doesn't apply to federated users (for example, users from an external IdP in the source org or users provisioned through JIT).

  1. In the Admin Console, go to ApplicationsApplications.
  2. Click an application and then the Provisioning tab.
  3. In the Settings list, click To App.
  4. Click Edit.
  5. Scroll down to the Sync Password section and click Enable.
  6. Configure these settings:
  • Sync a randomly generated password: Select this option to push a unique, randomly generated password to each app user at setup. This is designed to prevent theft of a single Okta password from compromising an entire organization. Users receive a notification on their Home page that a random password was generated.

Note: If you select this option, you should enable the Reveal Password feature to allow end users to see the password (ApplicationsApplicationsSign OnSettingsCredential Details).

  • Sync Okta Password: This option pushes a users Okta password to all app users during initial setup.
  • Password cycle: Select this option to generate a random password whenever the user's Okta password changes and ensure that a change in a user's Okta password generates and syncs a new random password to the app.

Note: Users may need to update their password on any device where they've installed this app.

  • Reset All App Passwords: Select this option to reset the passwords of all app users.
  1. Click Save.