FAQ: Okta and AD Groups Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a0000005ujisaq&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2ffaq-okta-and-ad-groups-2082747616
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
FAQ: Okta and AD Groups
Published: Jan 31, 2018   -   Updated: Jun 22, 2018

 

 

okta-doc-source

FAQ: Okta and AD Groups

How does Okta handle Universal Security Groups (USGs)?

For more about Universal Security Groups, click here.

Variables

  • Whether users and USGs reside in the same or different AD domains.
  • If different domains, whether both domains exist in Okta and are connected by a trust relationship.
  • Whether users come in to Okta via sign-in (JIT) or import.

Assumptions

  • JIT Provisioning and USG Support options are selected in Import and Account Settings.
  • If the option Schedule import is selected, the option Do not import new Users is not selected.

Note: Okta does not support Domain Local Groups containing members from multiple domains. We do support Universal Security Groups with cross-domain membership, provided that there is a two-way trust established between the domains. Universal Security Groups do not support cross-forest membership.

Sign-in (JIT) scenarios

What happens when a user who is a member of a USG that does not already exist in Okta signs-in to Okta?

  • If the user and the USG belong to the same domain but the USG does not already exist in Okta, Okta creates or updates the user's profile in Okta, brings in the USG, and syncs the user's membership to the USG.
  • If the user and the USG belong to different domains and both domains exist in Okta but the USG does not already exist in Okta, Okta creates or updates the user's profile in Okta but does not bring the USG in to Okta.

What happens when a user who is a member of a USG that already exists in Okta signs-in to Okta?

  • If the user and the USG belong to the same domain and the USG exists in Okta, Okta creates or updates the user's profile in Okta and syncs the user's membership to the USG.
  • If the user and the USG belong to different domains and the USG exists in Okta, Okta syncs the user's membership to the USG at sign-in only if the two domains are connected by a trust relationship. If the domains have no trust relationship, Okta does not recognize the user's membership in the USG.
Import scenarios

What happens during an import of groups and users?

  • If the users and the USG are members of the same domain, Okta creates or updates the users' profile in Okta, creates the USG if it doesn't already exist in Okta, and syncs memberships to the USG only for users in the domain being imported. Nothing is imported from other domains. During import, Okta does not recognize memberships to USGs in other domains.
  • If the users in the domain being imported are members of a USG that resides in a different domain, Okta only imports the users and ignores their membership in the USG. If the domain containing the USG is imported later, Okta syncs memberships the next time group members sign-in to Okta.
Example: USG across 2-Domains

Given a USG that resides in Domain B and contains users from Domains A and B:

USG_2domains

If Domain A is imported in to Okta, which members of the USG are imported in to Okta?

Only users from Domain A are imported in to Okta and their membership in the USG is ignored until Domain B is later imported.

If Domain A already exists in Okta, will importing Domain B bring the USG in to Okta and sync Group 2 memberships to the USG?

Yes.

Example: USG across 3-Domains

Given a USG in a 3-domain forest that resides in Domain A and contains users from Domains A, B, and C.

When Domain A users and groups are imported into Okta, the USG is imported and Domain A USG user memberships are synced.

USG_3 to 1 domain_580x543

If Domains B and C users and groups are imported into Okta, the USG memberships from those domains are not synced until users from those domains sign-in to Okta for the first time (as indicated by the dotted line in the diagram).

DistributionGroups_ADtoOkta_567x522

When are Distribution Groups brought in to Okta?

Only during incremental and full imports, not when users sign-in (JIT).
Note: When users sign-in (JIT), Okta imports security group membership, but not distribution group membership.

For more about Distribution Groups, click here.

When are Distribution Group memberships synced in Okta?

Only during incremental and full imports, and only if the users and groups being imported belong to the same domain.

Does Okta treat Distribution Groups (DGs) and Universal Security Groups (USGs) the same or differently?

Okta treats DGs and USGs the same in this respect:

During imports, Okta does not sync group memberships to DGs or USGs that reside in a different domain than the domain being imported.

Okta treats DGs and USGs differently in this respect:

  • If a user and a USG of which it is a member belong to the same domain, Okta syncs the user to the USG during JIT and imports
  • If a user and a DG of which it is a member belong to the same domain, Okta syncs the user to the DG only during imports, not during JIT.

Note: If only JIT is enabled, Okta will retrieve security group membership during JIT sign-in, but will not retrieve distribution group membership.

How does Okta handle users and groups that are moved to an out-of-scope OU?

Note: The term out-of-scope Organizational Unit (OU) refers to an OU that does not appear in or is not selected in the relevant OU selector. (Examples of the later type of out-of-scope OU are highlighted in yellow in the figure below.)

Some organizations administer an employee off-boarding process that involves moving users or groups to an out-of-scope OU. As detailed below, Okta never imports users and groups in out-of-scope OUs, and denies sign-in to all such users.

OutOfScope OUs

Sign-in (JIT) scenarios

Okta denies sign-in to all users in out-of-scope OUs, regardless of their enablement status in Active Directory.

  • When a user in an out-of-scope OU who is enabled in AD tries to sign-in to Okta, Okta detects the user's AD status, preserves them as active in Okta, but denies their sign-in attempt.
  • When a user in an out-of-scope OU who is disabled in AD tries to sign-in Okta, Okta detects their AD status, deactivates them in Okta, and denies their sign-in attempt.
Import scenarios

Okta performs incremental and full imports.

  • During an incremental import, Okta doesn't detect users and groups in out-of-scope OUs, so none of these users or groups are imported.
  • Accounts imported from an in-scope OU during a full or incremental import and then later relocated to an out-of-scope OU are not deactivated during a subsequent incremental import.

  • During a full import, Okta detects users in out-of-scope OUs as missing, deactivates them (regardless of their enablement status in AD), and denies their next sign-in attempt.
How does JIT provisioning treat nested groups outside of OU and object filter scopes?

There are membership inconsistencies that can occur between “regular” imports and JIT provisioning. These membership anomalies may occur when using nested groups.

During regular imports, a child group that is outside the scope of an AD OU or LDAP object filter cannot be detected. If a parent group is within an OU/object filter scope but its child groups are not, the parent group membership is incorrectly resolved during import.  

JIT provisioning would correctly resolve these memberships to the parent group because its function only detects "flat" memberships. 

Top