Delegated authentication

Delegated authentication allows users to sign in to Okta by entering credentials for their organization's Active Directory (AD), Windows networked single sign-on (SSO), or user stores that employ the Lightweight Directory Access Protocol (LDAP).

Enable AD delegated authentication

Enable desktop single sign-on

Enable LDAP delegated authentication

View Del Auth System Log information

Just In Time provisioning

Enable AD delegated authentication

Prerequisite: Integrate your AD instance with Okta. See Manage your Active Directory integration.

Use the following procedure if you have NOT enabled New Import and Provisioning Settings Experience for Active Directory on the Settings page.

  1. In the Admin Console, go to DirectoryDirectory Integrations.
  2. Select an AD instance.
  3. Click the Provisioning tab and then click Integration under Settings.
  4. Select Enable delegated authentication to Active Directory in the Delegated Authentication section.
  5. Optional. Test the delegated authentication settings:
    1. Click Test Delegated Authentication.
    2. Enter an AD username and password and click Authenticate.
    3. The value entered in the AD Username field is the Universal Principal Name (UPN) with the Active Directory (AD) domain name as the suffix. For example, if the AD domain name is oktaad.com, the AD Username UPN would include the suffix @oktaad.com. If you don't include the AD domain name suffix, delegated authentication fails.

    4. Click Close when authentication completes.
  6. Click Save Settings.

Use this procedure if you have enabled New Import and Provisioning Settings Experience for Active Directory on the Settings page.

  1. In the Admin Console, go to DirectoryDirectory Integrations.
  2. Select an AD instance.
  3. Click the Provisioning tab and select Integration in the Settings list.
  4. Scroll to Delegated Authentication and select Enable delegated authentication to Active Directory.
  5. Optional. Test the delegated authentication settings:
  1. Click Test Delegated Authentication.
  2. Enter an AD username and password and click Authenticate.
  3. Click Close when authentication completes.
  1. Click Save.

Enable desktop single sign-on

Desktop SSO allows users to automatically authenticate with Okta, and any apps accessed through Okta, whenever they sign in to your Windows network. The Okta IWA Web App uses Microsoft IWA and ASP.NET to authenticate users from specified gateway IPs. See Install and configure the Okta IWA Web agent for Desktop Single Sign-on.

Enable LDAP delegated authentication

Enable delegated authentication if you want LDAP to authenticate your users when they sign in to Okta.

Prerequisite: Install and configure the Okta LDAP agent. See Manage your LDAP integration.

  1. In the Admin Console, go to SecurityDelegated Authentication.
  2. Click the LDAP tab.
  3. In Delegated Authentication, click Edit.
  4. Select Enable delegated authentication to LDAP.
  5. Optional. Test the delegated authentication settings:
  1. Click Test Delegated Authentication.
  2. Enter an LDAP username and password and click Authenticate.
  3. Click Close when authentication completes.
  1. Click Save.

Allow end users to change or reset their LDAP passwords

You can allow your end users to change their LDAP passwords in Okta. When a user's password expires, they're prompted to change them the next time they attempt to sign into Okta.

End users can change their passwords from their Home page by clicking the drop-down menu by their name, then SettingsAccountChange Password.

This feature requires Okta LDAP Agent version 5.3.0 or later. This feature works with any LDAP distribution that correctly sets the pwdReset attribute to TRUE when a password is expired (for example, OpenLDAP and IBM) 5.3.0. Make sure to uninstall any pre-5.3.0 versions of the agent before you install version 5.3.0 or higher. For agent installation instructions, see LDAP integration.

  1. In the Admin Console, go to SecurityDelegated Authentication.
  2. Click the LDAP tab.
  3. In Delegated Authentication, click Edit.
  4. Select Enable delegated authentication to LDAP.
  5. Under LDAP Password Policy, select Users can change their LDAP passwords in Okta.
  6. In the Password Rules Message field, describe the password policy rules that your end users must follow when changing their passwords.
  7. Select Users can reset forgotten LDAP passwords in Okta.

When you create or import and activate new users, they're prompted for a secondary email address on their Welcome page. After end users enter an address, they receive a confirmation email asking them to verify the change.

If end users forget their passwords, or their LDAP account gets locked from too many failed sign in attempts, they can click the Need Help signing in?Forgot password or unlock account link on the Okta Sign-In Widget to reset their password using email or SMS.

  • Reset via email: End users enter their username or email address and then click the Send Email button. Users then receive an account password reset email that expires in 24 hours. This resets both the user’s Okta and LDAP passwords. For users who click the Forgot password? link because an account was locked, this changes their LDAP password and unlocks their account.
  • Reset via SMS: End users enter their username or email address and then click the Send Text Message button. This prompts a text message containing a password reset code. Once received, users enter the code from their phone and continue through the prompts to reset their passwords
  1. Click Save.

View Del Auth System Log information

To help identify AD delegated authentication bottlenecks, the system log includes information about the duration of each delegated authentication (Del Auth) request. The System Log includes times in milliseconds for:

  • delAuthTimeTotal: The total time spent for Del Auth in Okta. This time consists of the total time at the agent and the queue wait time in Okta before an agent starts processing the request. The queue wait times can be high if there aren't enough agents to serve requests.
  • delAuthTimeSpentAtAgent: The total time the agent spent processing the request. This includes the time spent at the Domain Controller.
  • delAuthTimeSpentAtDomainController: The time spent at the Domain Controller.

Note: AD agent version 3.1.0 or higher is required for this feature.

  1. On the Okta Admin Console, click DirectoryDirectory Integrations.
  2. Select an AD or LDAP instance.
  3. Click View Logs at the top of the page.

Just In Time provisioning

For details about Just In Time (JIT) provisioning with:

When JIT is enabled for your org and delegated authentication is selected for your AD or LDAP integration, JIT is used to create user profiles and import user data.

Related topics

Password policies

Manage self-service password reset

Multifactor Authentication