Configure LDAP to Okta provisioning settings
After installing and configuring the Okta LDAP Agent, you can use this procedure to update your LDAP to Okta provisioning settings as the needs of your org change. The LDAP to Okta provisioning settings define how LDAP user data is shared and manged with Okta.
- In the Admin Console, go to Directory > Directory Integrations.
- Select the LDAP agent from the list of directories.
- Click the Provisioning tab and select To Okta in the Settings list.
- Click Edit and complete the following settings:
- Schedule import – Select the frequency for importing users from LDAP to Okta.
- Okta username format: Specify a username format. When you import users from LDAP, Okta uses this attribute to generate the Okta username. When you access Import Settings during LDAP setup, the username format matches the option you selected when you tested the configuration and you should not need to change it. You can also access this page later and select another option, if necessary. User names must be in email format, so ensure the selected option is appropriate for your environment.
You can use custom expressions to create usernames for imported users, but the custom expression is not considered when the search query used to locate accounts in LDAP during Just-in-Time (JIT) provisioning is determined. If you set the Okta username format field to Custom, enable JIT provisioning, and a LDAP user account does not exist, the LDAP directory is searched for the unique identifier (uid) or the email (mail) attribute that matches the username used to sign in to Okta.
- Update application user name on: This setting cannot be changed.
JIT Provisioning: Select if you want to enable Just-in-Time (JIT) update and JIT creation when a user signs in. Select Create and update users on login to automatically create Okta user accounts the first time a user authenticates with LDAP Delegated Authentication. When an LDAP sourced user profile already exists in Okta, the existing user profile is updated when the user signs in, or when an admin views the profile.
- Activation emails: Select if you don't want to send new user activation emails.
- Incremental import: Select to only import users that were created or updated since your last import. Matching rules are only evaluated on these users. This is the type of import performed by scheduled imports.
- Maximum clock skew: Incremental import relies on the modifyTimestamp attribute to determine whether an LDAP entry has been imported. However, the system clock on some on-premises LDAP servers could go backward, causing some updates to be missed. To prevent missed updates, set the clock skew to a value that is the maximum potential clock drift of the server. To improve the performance of incremental import, the modifyTimestamp attribute should be indexed on your LDAP server.
If you enable JIT, you must enable delegated authentication. JIT provisioning can be used with or without scheduled imports.
- Click Save.
- To define your User Creation & Matching settings, click Edit and complete the following settings:
Imported user is an exact match to Okta user if: Matching rules are used in the import of users from all apps and directories that allow importing. Establishing matching criteria allows you to specify how an imported user should be defined as a new user or mapped to an existing Okta user.
Select the match criteria that establishes whether an imported user exactly matches an existing Okta user. Choose any combination from the list of options to establish your criteria. For the new imported user to be considered an exact match, each option that you select must be true. Note that if you choose the third option, the first and second choices are disabled.
Allow partial matches: Partial matching occurs when the first and last name of an imported user matches that of an existing Okta user, but the user’s username or/and email address do not.
Confirm matched users: Select to automate the confirmation or activation of existing users. Unchecked, matches must be confirmed manually.
Confirm new users: Select to automate the confirmation or activation of a newly imported user. If this option is selected, you can uncheck it during import confirmation. Note that this feature does not apply for users who already exist in Okta.
For information on deprovisioning, see Provision applications.
- Click Save.
- To define your Profile & Lifecycle Sourcing settings, click Edit and complete the following settings:
- Allow LDAP to source Okta users — This option is enabled by default. Profile sourcing makes LDAP the identity authority for connected users. When enabled, user profiles are not editable in Okta and changes are synced to Okta during provisioning events. You can disable this option to have LDAP treated as a normal application. If you disable this feature, user updates you perform in LDAP are not pushed back to the user in Okta. For example, if you change a user's name in LDAP , the change does not affect the Okta user. If you disable LDAP as the profile source, you cannot reset a user's LDAP password in Okta because their credentials are still being managed by LDAP. You can, however, disable Delegated Authentication (see Enable delegated authentication) and enable the Sync Password option to push passwords to LDAP. This means that your users have their delegated Okta password, but any subsequent password updates are pushed to LDAP.
- When a user is deactivated in the app — Specify what action Okta should take if the user's account is deactivated in Okta.
- Do nothing — No action is taken.
- Deactivate — Deactivates users' LDAP account when they are unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta.
- Suspend — Suspends users' LDAP account when they are unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta.
- When a user is reactivated in the app: Specify what action Okta should take if the user's account is reactivated in Okta.
- Reactivate suspended Okta users — Reactivate suspended Okta users if they are reactivated in LDAP.
- Reactivate deactivated Okta users — Reactivate deactivated Okta users if they are reactivated in LDAP.
- App unassignment safeguard — Select Enabled to enable import safeguards, or select Disabled to disable import safeguards.
- is the threshold for unassignments from any app — Enter the percentage of allowable app or org unassignments, or select Set to default to set the percentage to the default value.
Org-wide unassignment safeguard — Select Enabled to enable import safeguards for the entire org, or select Disabled to disable import safeguards for the entire org.
is the threshold for unassignments across the org — Enter the percentage of allowable app or org unassignments for the org, or select Set to default to set the percentage for the org to the default value.