Delegated authentication

With delegated authentication users sign in to Okta by entering credentials for their organization's Active Directory (AD), Windows networked single sign-on, or user stores that employ the Lightweight Directory Access Protocol (LDAP).

Enable AD delegated authentication

Prerequisite: Integrate your AD instance with Okta. See Active Directory integration.

Use the following procedure if you have not enabled New Import and Provisioning Settings Experience for Active Directory on the Settings page.

  1. On the Okta Admin Console, click Directory > Directory Integrations.
  2. Select an AD instance.
  3. Click the Settings tab and select Enable delegated authentication to Active Directory in the Delegated Authentication area.
  4. Optional. Test the delegated authentication settings:
  1. Click Test Delegated Authentication.
  2. Enter an AD username and password and click Authenticate.
  3. Click Close when authentication completes.
  1. Click Save Settings.

Use this procedure if you have enabled New Import and Provisioning Settings Experience for Active Directory on the Settings page.

  1. On the Okta Admin Console, click Directory > Directory Integrations.
  2. Select an AD instance.
  3. Click the Provisioning tab and select Integration in the SETTINGS list.
  4. Scroll to Delegated Authentication and select Enable delegated authentication to Active Directory.
  5. Optional. Test the delegated authentication settings:
  1. Click Test Delegated Authentication.
  2. Enter an AD username and password and click Authenticate.
  3. Click Close when authentication completes.
  1. Click Save.

Enable desktop single sign-on

Desktop single sign-on (SSO) allows users to be automatically authenticated by Okta, and any apps accessed through Okta, whenever they sign into your Windows network. The Okta IWA Web App uses Microsoft IWA and ASP.NET to authenticate users from specified gateway IPs. For installation and configuration procedures, see Okta IWA Web App for Desktop SSO.

Enable LDAP delegated authentication

Enable delegated authentication if you want LDAP to authenticate your users when they sign in to Okta.

Prerequisite: Install and configure the Okta LDAP agent.

  1. On the Okta Admin Console, click Security > Delegated Authentication.
  2. Click the LDAP tab.
  3. In Delegated Authentication, click Edit.
  4. Select Enable delegated authentication to LDAP.
  5. Optional. Test the delegated authentication settings:
  1. Click Test Delegated Authentication.
  2. Enter an LDAP username and password and click Authenticate.
  3. Click Close when authentication completes.
  1. Click Save.

Allow end users to change or reset their LDAP passwords

You can allow your end users to change their LDAP passwords in Okta. When a user's password expires, they are prompted to change them the next time they attempt to sign into Okta.

End users can change their passwords from their Home page by clicking the drop down menu by their name, then Settings > Account > Change Password.

This feature requires Okta LDAP Agent version 5.3.0 or later. This feature works with any LDAP distribution that correctly sets the pwdReset attribute to TRUE when a password is expired (for example, OpenLDAP and IBM) 5.3.0. Make sure to uninstall any pre-5.3.0 versions of the agent before you install version 5.3.0 or higher. For agent installation and uninstallation instructions, see LDAP integration.

  1. On the Okta Admin Console, click Security > Delegated Authentication.
  2. Click the LDAP tab.
  3. In Delegated Authentication, click Edit.
  4. Select Enable delegated authentication to LDAP.
  5. Under LDAP Password Policy, select Users can change their LDAP passwords in Okta.
  6. In the Password Rules Message field, describe the password policy rules that your end users must follow when changing their passwords.
  7. Select Users can reset forgotten LDAP passwords in Okta.

When you create or import and activate new users, they are prompted for a secondary email address on their Welcome page. After end users enter an address, they receive a confirmation email asking them to verify the change.

If end users forget their passwords, or their LDAP account gets locked from too many failed sign in attempts, they can click the Forgot password? link on the Okta Sign-In Widget to reset their password using email or SMS.

  • Reset via email: End users enter their username or email address and then click the Send Email button. Users then receive an account password reset email that expires in 24 hours. This resets both the user’s Okta and LDAP passwords. For users who click the Forgot password? link because an account was locked, this changes their LDAP password and unlocks their account.
  • Reset via SMS: End users enter their username or email address and then click the Send Text Message button. This prompts a text message containing a password reset code. Once received, users enter the code from their phone and continue through the prompts to reset their passwords
  1. Click Save.

View Del Auth system log information

To help identify AD delegated authentication bottlenecks, the system log includes information about the duration of each delegated authentication (Del Auth) request. The system log includes times in milliseconds for:

  • delAuthTimeTotal — The total time spent for Del Auth in Okta. This time consists of the total time at the agent and the queue wait time in Okta before an agent starts processing the request. The queue wait times can be high if there are not enough agents to serve requests.
  • delAuthTimeSpentAtAgent — The total time the agent spent processing the request. This includes the time spent at the Domain Controller.
  • delAuthTimeSpentAtDomainController — The time spent at the Domain Controller.

Note: AD agent version 3.1.0 or higher is required for this feature.

  1. On the Okta Admin Console, click Directory > Directory Integrations.
  2. Select an AD or LDAP instance.
  3. Click View Logs at the top of the page.

Just In Time provisioning

For details about Just In Time (JIT) provisioning with: