Using Sync Password
This feature pushes end users' Okta password to the end user's Active Directory object. This push occurs during initial Okta set up, Okta log on, or whenever a users' Okta password changes. Passwords will also be synced from AD to Okta.
Note: If an Okta user is pushed to Active Directory after the user has already activated their Okta account, the Active Directory user object will be in a "User must change password at next logon" state. In this scenario, the user must first log onto Okta in order for the password to be pushed from Okta to AD.
The following table details the settings and components required for Sync Password uses cases.
† In this use case, the Password Sync Agent must be installed and configured on all domain controllers in each domain in your forest, and the Okta username format must be either UPN or SAM Account Name.
‡ This option is available only in the provisioning settings of eligible SWA apps.
For more information, see the Password Synchronization Overview guide.
Active Directory environments
Sync AD passwords to provisioning-enabled apps
This feature pushes users' AD password to provisioning-enabled SWA apps during initial Okta set up and/or whenever users' AD password changes. It requires the Okta AD Password Sync Agent. The agent automatically pushes users' AD passwords from your Domain Controllers to the Okta service. Passwords are synced from your Domain Controller to Okta whenever a user's password is changed. The agent must be installed on all Domain Controllers and Delegated Authentication must be enabled on your Okta organization.
Sync Okta passwords to AD
This feature pushes users' Okta password to Active Directory during initial Okta set up and/or whenever users' Okta password changes.
Note: If you also want to push users' Okta passwords to provisioning-enabled apps, see Sync Okta passwords to AD and to provisioning-enabled apps.
Sync Okta passwords to AD and to provisioning-enabled apps
This feature pushes users' Okta password to Active Directory and provisioning-enabled apps during initial Okta set up and/or whenever users' Okta password changes.
Important: The first time end users try to access the app after the admin performs this procedure, they must do so via the chiclet on their Okta dashboard in order to complete the syncing operation. Trying to access the app in any other way in the first post-procedure instance may fail.
Expire Okta-Mastered users' password using the Okta Expire Password API
To prompt Okta-mastered users' to set a new password at next sign in, expire their password using the Okta Expire Password API.
Ensure randomly-generated passwords comply with app's password policy
Okta's generated password is 16 characters long with randomly-applied upper/lower case letters, numbers, and symbols. To ensure a successful sync between Okta and the app, the Okta randomly-generated password must comply with the app's minimum password complexity requirements.
If the Okta randomly-generated password doesn't comply with the app's minimum policy, an error displays on the Okta Tasks page (Dashboard > Tasks).
Non-Active Directory Environments
Sync Okta passwords or a random password to provisioning-enabled apps
This feature pushes users' Okta password or a random password to provisioning-enabled apps during initial Okta set up and/or whenever users' Okta password changes.
For use in non-Active Directory environments.