This guide describes how to integrate Okta with your LDAP directory service by deploying the Okta LDAP Agent. LDAP integration allows end users to authenticate to Okta using their LDAP credentials without replicating those credentials into the cloud. In addition, Okta can import user accounts and attributes into the cloud service to improve performance and support complex scenarios. Okta’s LDAP integration helps organizations leverage current identity directory investments when controlling access to Okta-protected resources.
This guide includes the following topics:
Okta is an enterprise-grade, identity management service built for the cloud but compatible with many on-premises applications. With Okta, IT can manage any employee's access to any application or device. Okta runs in the cloud on a secure, reliable, and extensively audited platform that integrates deeply with on-premises applications, directories, and identity management systems.
LDAP stands for Lightweight Directory Access Protocol (version v3 at the time of this writing). LDAP is a standard protocol for managing objects in a hierarchical directory and commonly used for user management. LDAP is prevalent; in fact, Microsoft Active Directory is an LDAP-based solution. Okta can integrate with an organization’s LDAP directory or directories by delegating authentication and/or importing users and groups.
Okta can integrate with most LDAPv3 directories. The configuration wizard provides templates for the following distributions:
To integrate Okta with your LDAP instance, you need the following:
The installation procedure you perform depends on which platform you are using. Separate procedures for Linux and Windows platforms are provided in Installing and Configuring the LDAP Agent.
The Okta LDAP Agent officially supports the following Operating Systems:
The LDAP Agent is compatible with any LDAPv3-compliant directory, but is tested only on the following:
The Okta LDAP agent is a java-based service that runs locally on any server. The LDAP agent integrates with an organization’s directory using the LDAP protocol over port 389 by default. The agent communicates with Okta via a technique called long-polling. A TLS channel is established every 60 seconds, upon which the agent waits for instructions from Okta. Once an instruction is received, the agent processes it and returns the result over the same secure channel. If no instruction is received before the channel times out, the agent disconnects and immediately establishes a new TLS channel.
The diagram below shows the LDAP agent’s interaction with Okta and an organization’s on-premises infrastructure.
The LDAP Agent facilitates three major workflows for Okta users:
Okta’s LDAP Agent can authenticate users against an organization’s LDAP directory in real-time. This prevents Okta from being forced to store user credentials in the cloud and minimizes the passwords a user must memorize. The diagram below shows the LDAP delegated authentication flow via the Okta LDAP Agent.
Okta’s LDAP Agent also facilitates password change requests from an end user. If a user's password needs to change, whether because it expired or the policy dictates a change for any reason, Okta’s password reset flow works for LDAP passwords, too. This feature helps to reduce help desk calls by empowering users to perform self-service password reset.
The diagram below shows the password reset flow in an LDAP-integration scenario.
The Okta LDAP Agent imports user information each time the user successfully authenticates. The flow is very similar to delegated authentication, but there is an extra step: after the user successfully authenticates, Okta either creates or updates the user’s account.
Okta agents are selected randomly from the pool of registered agents to fulfill authentication requests. To ensure that there is always one agent available to facilitate commands in case one server or connection goes down, a minimum of two LDAP Agents are recommended. If the directory contains more than 30K users, entailing a much higher authentication frequency, four or more LDAP agents are recommended. In general, capacity scales linearly with the number of agents. Adding additional agents will provide automatic failover and improve authentication throughput.