Delegated authentication

This is where you'll find information about implementing and managing Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) and LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. delegated authentication.

With delegated authentication, users use their AD credentials to sign in to Okta. Delegated authentication is enabled by default when you integrate Okta with an AD instance. Delegated authentication applies only to the AD users who are associated with the Okta instance on which delegated authentication is enabled.

Prerequisites

Enable AD delegated authentication

Use this procedure if you have not enabled New Import and ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. Settings Experience for Active Directory on the Settings page.

  1. On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Directory Integrations.
  2. Select an AD instance.
  3. Click the Settings tab and select Enable delegated authentication to Active Directory in the Delegated AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. area.
  4. Optional. Test the delegated authentication settings:
  1. Click Test Delegated Authentication.
  2. Enter an AD username and password and click Authenticate.
  3. Click Close when authentication completes.
  1. Click Save Settings.

Use this procedure if you have enabled New Import and Provisioning Settings Experience for Active Directory on the Settings page.

  1. On the Okta Admin Console, click Directory > Directory Integrations.
  2. Select an AD instance.
  3. Click the Provisioning tab and select Integration in the SETTINGS list.
  4. Scroll to Delegated Authentication and select Enable delegated authentication to Active Directory.
  5. Optional. Test the delegated authentication settings:
  1. Click Test Delegated Authentication.
  2. Enter an AD username and password and click Authenticate.
  3. Click Close when authentication completes.
  1. Click Save.

Enable desktop single sign-on

Desktop single sign-on (SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.) allows users to be automatically authenticated by Okta, and any apps accessed through Okta, whenever they sign into your Windows network. The Okta IWA Web AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. uses Microsoft IWA and ASP.NET to authenticate users from specified gateway IPs. For installation and configuration procedures, see Okta IWA Web App for Desktop SSO.

Enable LDAP delegated authentication

Delegated authentication lets your users use their LDAP credentials to sign in to Okta. Enable delegated authentication if you want LDAP to authenticate your users when they sign in to Okta.

  1. On the Okta Admin Console, click Security > Delegated Authentication.
  2. Click the LDAP tab.
  3. In Delegated Authentication, click Edit.
  4. Select Enable delegated authentication to LDAP.
  5. Optional. Test the delegated authentication settings:
  1. Click Test Delegated Authentication.
  2. Enter an LDAP username and password and click Authenticate.
  3. Click Close when authentication completes.
  1. Click Save.

Allow end users to change or reset their LDAP passwords

You can allow your end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. to change their LDAP passwords in Okta. When a user's password expires, they are prompted to change them the next time they attempt to sign into Okta.

End users can change their passwords from their Home page by clicking the drop down menu by their name, then Settings > Account > Change Password.

This feature requires Okta LDAP AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. version 5.3.0 or later. This feature works with any LDAP distribution that correctly sets the pwdReset attribute to TRUE when a password is expired (for example, OpenLDAP and IBM) 5.3.0. Make sure to uninstall any pre-5.3.0 versions of the agent before you install version 5.3.0 or higher. For agent installation and uninstallation instructions, see Installing and Configuring the LDAP Agent.

  1. On the Okta Admin Console, click Security > Delegated Authentication.
  2. Click the LDAP tab.
  3. In Delegated Authentication, click Edit.
  4. Select Enable delegated authentication to LDAP.
  5. Under LDAP Password Policy, select Users can change their LDAP passwords in Okta.
  6. In the Password Rules Message field, describe the password policy rules that your end users must follow when changing their passwords.
  7. Select Users can reset forgotten LDAP passwords in Okta.

When you create or import and activate new users, they are prompted for a secondary email address on their Welcome page. After end users enter an address, they receive a confirmation email asking them to verify the change.

If end users forget their passwords, or their LDAP account gets locked from too many failed sign in attempts, they can click the Forgot password? link on the Okta Sign-In Widget to reset their password using email or SMS.

  • Reset via email: End users enter their username or email address and then click the Send Email button. Users then receive an account password reset email that expires in 24 hours. This resets both the user’s Okta and LDAP passwords. For users who click the Forgot password? link because an account was locked, this changes their LDAP password and unlocks their account.
  • Reset via SMS: End users enter their username or email address and then click the Send Text Message button. This prompts a text message containing a password reset code. Once received, users enter the code from their phone and continue through the prompts to reset their passwords
  1. Click Save.

View Del Auth system log information

To help identify AD delegated authentication bottlenecks, the system log includes information about the duration of each delegated authentication (Del Auth) request. The system log includes times in milliseconds for:

Note: AD agent version 3.1.0 or higher is required for this feature.

  1. On the Okta Admin Console, click Directory > Directory Integrations.
  2. Select an AD or LDAP instance.
  3. Click View Logs at the top of the page.

Just In Time provisioning

For details about Just In Time (JIT) provisioning with:

Top