Instance-level Delegated Authentication - some users AD auth-master and others okta auth-master Skip to main content
https://support.okta.com/help/answers?id=9060z000000jjeiqas&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Kurt BestulKurt Bestul 

Instance-level Delegated Authentication - some users AD auth-master and others okta auth-master

I want to configure okta such that one subset of users has okta as its authentication master while one or more other subsets will have Active Directory as their authentication master.
From a review of the documentation, it looks like I must enable 'Instance-level Delegated Authentication' to accomplish this. Put differently, it looks like if I were to enable the standard AD delegated authentication without first enabling 'Instance-level Delegated Authentication' that all of my okta users would have AD as their authentication master.

Assistance clarifying this would be very welcomed. Thanks
Best Answer chosen by Dylann Fezeu (Customer First Programs)
Cristian MondiruCristian Mondiru (Okta, Inc.)
Hello Kurt,


   Thank you for reaching out to Okta Support!
  Currently, the settings are applicable on AD instance level, therefore that subset of user would have to be sourcing from a separate AD instance, that will not contain users for which AD would be the authentication master.          Depending on the size of the user subset, a manual disconnect from AD for these users and reset the passwords. This way, the users will be Okta mastered and have Okta as an authentication master.
  If you would like to further discuss regarding this integration based on the current configuration and requirements, please do not hesitate to open a support ticket with Okta.

 
 Thank you,
 Cristian Mondiru
 Technical Support Engineer 

All Answers

Cristian MondiruCristian Mondiru (Okta, Inc.)
Hello Kurt,


   Thank you for reaching out to Okta Support!
  Currently, the settings are applicable on AD instance level, therefore that subset of user would have to be sourcing from a separate AD instance, that will not contain users for which AD would be the authentication master.          Depending on the size of the user subset, a manual disconnect from AD for these users and reset the passwords. This way, the users will be Okta mastered and have Okta as an authentication master.
  If you would like to further discuss regarding this integration based on the current configuration and requirements, please do not hesitate to open a support ticket with Okta.

 
 Thank you,
 Cristian Mondiru
 Technical Support Engineer 
This was selected as the best answer
Dylann FezeuDylann Fezeu (Customer First Programs)
Hello Kurt,

Thanks for posting your inquiry in Okta Community Portal.

If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

Thank you,

Dylann Fezeu
Okta Help Center Team