Delegated Authentication Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a0000005ugtsaq&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fdelegated-authentication-1098679333
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Delegated Authentication
Published: Jan 31, 2018   -   Updated: Jun 22, 2018

 

 

okta-doc-source

Delegated Authentication

The Delegated Authentication page provides a variety of directory and authentication management options. There are options for Active Directory, and LDAP. Select the option to set up from the list at the top of the screen.

Active Directory

Important: If you do not already have an Active Directory (AD) integration, you can click Configure Active Directory to go to Directory Intergrations and install and configure the Okta AD agent.

Enabling Delegated Authentication (AD)

Delegated authentication makes your users' Okta credentials the same as their AD credentials. Enable it if you want Active Directory (AD) to authenticate your users when they sign into Okta.

Instance-level Delegated Authentication

This feature moves delegated authentication (Del Auth) enablement from the org-level to the instance-level. While preserving current Del Auth functionality, instance-level Del Auth is optimized for use in environments with multiple AD instances. It allows admins to delegate authentication on a per AD-instance level to support more granular authentication scenarios such as the following:

  • Configure Okta to be the authentication master for users in some AD instances.
  • Configure AD to be the authentication master for users in the remaining AD instances (meaning users log in using their Windows credentials).
  • Continue to rely on Okta to provision to all AD instances.

Once Instance-Level Del Auth is enabled by Okta Support, you can configure it in Directory > Directory Integrations > Active Directory > Settings. Your former org-level delegated authentication settings are preserved but no longer managed from Security > Authentication > Active Directory.

Enabling Desktop Single Sign-On (SSO)

You can configure your Desktop SSO mode, failover settings, and Integrated Web Authentication (IWA) web applications in this section. Desktop SSO allows users to be automatically authenticated by Okta, and any apps accessed through Okta, whenever they sign into your Windows network. Okta's IWA Web App uses Microsoft's IWA and ASP.NET to authenticate users from specified gateway IPs. For installation and configuration procedures, see Okta IWA Web App for Desktop SSO.

LDAP

Important: Before you can configure LDAP delegated authentication, you must install and configure the Okta LDAP agent.

Enabling Delegated Authentication (LDAP)

Delegated authentication makes your users' Okta credentials the same as their LDAP credentials. Enable it if you want LDAP to authenticate your users when they sign into Okta.

  1. In Delegated Authentication, click Edit.
  2. Select Enable delegated authentication to LDAP.
  3. Click Save.

Allowing end users to change or reset their LDAP passwords in Okta

You can allow your end users to change their LDAP passwords in Okta. When end users' passwords expire, they are prompted to change them the next time they attempt to sign into Okta.

End users can change their passwords from their Home page by clicking the drop down menu by their name, then Settings > Account > Change Password.

  1. In Delegated Authentication, click Edit.
  2. Make sure that Enable delegated authentication to LDAP is selected.
  3. Under LDAP Password Policy, select Users can change their LDAP passwords in Okta.
  4. In the Password Rules Message field, describe the password policy rules that your end users must follow when changing their passwords.
  5. Select Users can reset forgotten LDAP passwords in Okta.
  6. Click Save.

Note: This is an Early Access feature; contact Okta Support to enable it. It requires Okta Java LDAP Agent version 5.3.0 or later. This feature works with any LDAP distribution that correctly sets the pwdReset attribute to TRUE when a password is expired (for example, OpenLDAP and IBM)5.3.0. Make sure to uninstall any pre-5.3.0 versions of the agent before you install version 5.3.0 or higher. For agent installation and uninstallation instructions, see Installing and Configuring the LDAP Agent.

End User Password Reset

Select Users can reset forgotten LDAP passwords in Okta to allow your end users to reset forgotten LDAP passwords. When you create or import and activate new users, they are prompted for a secondary email address on their Welcome page. After end users enter an address, they receive a confirmation email asking them to verify the change.

If end users forget their passwords, or their LDAP account gets locked from too many failed login attempts, they can click the Forgot password? link on the Okta Sign On page to reset the password using email or SMS.

  • Reset via email: End users enter their username or email address and then click the Send Email button. Users then receive an account password reset email that expires in 24 hours. This resets both the user’s Okta and LDAP passwords. For users who click the Forgot password? link because an account was locked, this changes their LDAP password and unlocks their account.
  • Reset via SMS: End users enter their username or email address and then click the Send Text Message button. This prompts a text message containing a password reset code. Once received, users enter the code from their phone and continue through the prompts to reset their passwords.

Create a Password Rules Message

Optionally select the Password Rules Message check box and enter a description for your password policy that appears when end users change or reset their LDAP passwords. For example, the default message, Minimum eight characters including one numeral and one special character.

Del Auth System Log information

The System Log includes information about the duration of each Delegated Authentication (Del Auth) request to help admins identify bottlenecks in the Active Directory (AD) Del Auth pipeline. The Del Auth System Log events now include times in milliseconds for:

  • delAuthTimeTotal: The total time spent for Del Auth in Okta. This time consists of the total time at the agent and the queue wait time in Okta before an agent starts processing the request. The queue wait times can be high if there are not enough agents to serve requests.
  • delAuthTimeSpentAtAgent: The total time the agent spent processing the request. This includes the time spent at the Domain Controller.
  • delAuthTimeSpentAtDomainController: The time spent at the Domain Controller.

Note: You must be using AD agent version 3.1.0 or higher to use this feature.

JIT Provisioning

For details about JIT with

Active Directory and LDAP, see JIT Provisioning.

Desktop SSO, see the Customization page.

Top