The Delegated Authentication page provides a variety of directory and authentication management options. There are options for Active Directory, and LDAP. Select the option to set up from the list at the top of the screen.
Important: If you do not already have an Active Directory (AD) integration, you can click Configure Active Directory to go to Directory Intergrations and install and configure the Okta AD agent.
Delegated authentication makes your users' Okta credentials the same as their AD credentials. Enable it if you want Active Directory (AD) to authenticate your users when they sign into Okta.
Instance-level Delegated Authentication
This feature moves delegated authentication (Del Auth) enablement from the org-level to the instance-level. While preserving current Del Auth functionality, instance-level Del Auth is optimized for use in environments with multiple AD instances. It allows admins to delegate authentication on a per AD-instance level to support more granular authentication scenarios such as the following:
Once Instance-Level Del Auth is enabled by Okta Support, you can configure it in Directory > Directory Integrations > Active Directory > Settings. Your former org-level delegated authentication settings are preserved but no longer managed from Security > Authentication > Active Directory.
Enabling Desktop Single Sign-On (SSO)
You can configure your Desktop SSO mode, failover settings, and Integrated Web Authentication (IWA) web applications in this section. Desktop SSO allows users to be automatically authenticated by Okta, and any apps accessed through Okta, whenever they sign into your Windows network. Okta's IWA Web App uses Microsoft's IWA and ASP.NET to authenticate users from specified gateway IPs. For installation and configuration procedures, see Okta IWA Web App for Desktop SSO.
Important: Before you can configure LDAP delegated authentication, you must install and configure the Okta LDAP agent.
Enabling Delegated Authentication (LDAP)
Delegated authentication makes your users' Okta credentials the same as their LDAP credentials. Enable it if you want LDAP to authenticate your users when they sign into Okta.
Allowing end users to change or reset their LDAP passwords in Okta
You can allow your end users to change their LDAP passwords in Okta. When end users' passwords expire, they are prompted to change them the next time they attempt to sign into Okta.
End users can change their passwords from their Home page by clicking the drop down menu by their name, then Settings > Account > Change Password.
Note: This is an Early Access feature; contact Okta Support to enable it. It requires Okta Java LDAP Agent version 5.3.0 or later. This feature works with any LDAP distribution that correctly sets the pwdReset attribute to TRUE when a password is expired (for example, OpenLDAP and IBM)5.3.0. Make sure to uninstall any pre-5.3.0 versions of the agent before you install version 5.3.0 or higher. For agent installation and uninstallation instructions, see Installing and Configuring the LDAP Agent.
End User Password Reset
Select Users can reset forgotten LDAP passwords in Okta to allow your end users to reset forgotten LDAP passwords. When you create or import and activate new users, they are prompted for a secondary email address on their Welcome page. After end users enter an address, they receive a confirmation email asking them to verify the change.
If end users forget their passwords, or their LDAP account gets locked from too many failed login attempts, they can click the Forgot password? link on the Okta Sign On page to reset the password using email or SMS.
Create a Password Rules Message
Optionally select the Password Rules Message check box and enter a description for your password policy that appears when end users change or reset their LDAP passwords. For example, the default message, Minimum eight characters including one numeral and one special character.
Del Auth System Log information
The System Log includes information about the duration of each Delegated Authentication (Del Auth) request to help admins identify bottlenecks in the Active Directory (AD) Del Auth pipeline. The Del Auth System Log events now include times in milliseconds for:
Note: You must be using AD agent version 3.1.0 or higher to use this feature.
For details about JIT with
Active Directory and LDAP, see JIT Provisioning.
Desktop SSO, see the Customization page.