How can I assign an application to all members of a specific active directory domain easily? Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmfsqai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Carl MillerCarl Miller 

How can I assign an application to all members of a specific active directory domain easily?

Best Answer chosen by Carl Miller
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Carl
Are you familiar with Group Rules?
https://support.okta.com/help/articles/Knowledge_Article/Using-Group-Membership-Rules

AD is an "app". It has an attribute called app.namingContext which is the AD domain, eg, "domain1.local".

You could:
Create an Okta user attribute called "domain" (https://help.okta.com/en/prev/Content/Topics/Directory/Directory_Profile_Editor.htm?cshid=Directory_Profile_Editor#Directory_Profile_Editor1)
Map app.namingContext to Okta user "domain" attribute
Create an Okta group for each AD domain, eg "domain1", "domain2", etc.
Create a Group Rule for each AD domain, eg:
IF user.domain equals "domain1.local" THEN Assign to "domain1" group
IF user.domain equals "domain2.local" THEN Assign to "domain2" group
etc.
 

All Answers

James GarvinJames Garvin (Okta)
You could create a group rule based off an attribute in that domain or add an attribute in that domain to dynamically assign users to a group.  Then have the app assigned to the group.
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Carl
Another option would be to import the "Domain Users" (or other) group for a specific AD domain into Okta and use that.
Carl MillerCarl Miller
Gabrial, I actually did that, since I have a specific OU for my OKTA groups (so it won't parse through the 1000's of groups we have), I created an AD for the app and then nested domain users in that group.  Thanks guys!
Paul.Bryan ADMIDaaS-BryanPPaul.Bryan ADMIDaaS-BryanP
You could look at the first part of the Windows CN.  This should contain the Domain name for the AD
Carl MillerCarl Miller
Right, I get that, but how do you take that, and automate group membership by domain using it?
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Carl
Are you familiar with Group Rules?
https://support.okta.com/help/articles/Knowledge_Article/Using-Group-Membership-Rules

AD is an "app". It has an attribute called app.namingContext which is the AD domain, eg, "domain1.local".

You could:
Create an Okta user attribute called "domain" (https://help.okta.com/en/prev/Content/Topics/Directory/Directory_Profile_Editor.htm?cshid=Directory_Profile_Editor#Directory_Profile_Editor1)
Map app.namingContext to Okta user "domain" attribute
Create an Okta group for each AD domain, eg "domain1", "domain2", etc.
Create a Group Rule for each AD domain, eg:
IF user.domain equals "domain1.local" THEN Assign to "domain1" group
IF user.domain equals "domain2.local" THEN Assign to "domain2" group
etc.
 
This was selected as the best answer
Carl MillerCarl Miller
I'm not familiar, but it looks like I"m about to be.  Thanks a ton for this, I'll let you know if I have any other questions.
Carl MillerCarl Miller
I see the problem, I do not appear to have group rules available in my org.  Do you know if this is a function of Universal Directory?
Carl MillerCarl Miller
disregard, I was able to get support to enable group rules, thanks again for your help, this appears like it shoudl work pretty easily.
Carl MillerCarl Miller
Gabirel, this is working perfectly, thanks again.