Authentication with multiple directories and manual LDAP user import Skip to main content
https://support.okta.com/help/answers?id=906f0000000hzniiac&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Xilinx AdminXilinx Admin 

Authentication with multiple directories and manual LDAP user import

Hi,

We currently have AD configured and of course it is the primary. We want to configure an LDAP directory (whcih we use for external users) and that has around 5 lakh users. Since there are huge number of users, we don't want to do a full import or a scheduled import for the directory (Want to turn off the scheduled import completely), but rather want to manually import only a set of users/groups into Okta so we can provision application to those users.

I also want to understand how Okta authenticates a user who happens to be in both directories.

Thanks in advance

Regards,
Surya Chirravuri
Access Management administrator
Xilinx

Best Answer chosen by Xilinx Admin
Aaron YeeAaron Yee (Okta, Inc.)
Answers inline:

a) I understand that user provisioning for current agent is Just in time, but how does it work for groups? And how do I pull into Okta only the groups I will need to configure my applications (and not all groups).

Answer: Our agent now performs JIT and imports (EA). Both methods import users and groups. Currently, you can scope a "Group Search Base". This identifies the container from which Okta should import groups. Groups outside the container are not imported into Okta. You can also use a group object filter to further restrict groups you wish to import.

b) When will the new Java LDAP agent available tentatively (I want a tentative timeline)?

Answer: It's available in EA (fully supported). We plan to GA the feature within the next quarter.

c) In case of user authentication where the user is present in multiple directories, what happens if the authentication against the higher profile master fails. Is it possible to configure in such a way that Okta attempts to authenticate to a lower profile directory if the bind with the higher profile master fails?

Answer: Authentication only happens against the primary profile master (if del auth is enabled). We currently don't have plans to fall back to a lower master (for del auth) if the primary fails.
 

All Answers

Krishnan VenkatramanKrishnan Venkatraman (Okta, Inc.)
Our LDAP agent is quite different from AD agent today. We use Just in time provisioning. Basically at the time of user logging into Okta we pull information from directory their profile and group membership. We are coming up with new java LDAP agent which will be available soon where you can use OU filtering and import users accordingly.

If the user is matched with two directories and del auth is turned on. Okta authenticates the user using the higher profile master.
Xilinx AdminXilinx Admin
Thank you Krishnan. I appreciate the quick response. I have couple more follow up questions:

a) I understand that user provisioning for current agent is Just in time, but how does it work for groups? And how do I pull into Okta only the groups I will need to configure my applications (and not all groups).

b) When will the new Java LDAP agent available tentatively (I want a tentative timeline)?

c) In case of user authentication where the user is present in multiple directories, what happens if the authentication against the higher profile master fails. Is it possible to configure in such a way that Okta attempts to authenticate to a lower profile directory if the bind with the higher profile master fails?

Regards,
Surya
Aaron YeeAaron Yee (Okta, Inc.)
Answers inline:

a) I understand that user provisioning for current agent is Just in time, but how does it work for groups? And how do I pull into Okta only the groups I will need to configure my applications (and not all groups).

Answer: Our agent now performs JIT and imports (EA). Both methods import users and groups. Currently, you can scope a "Group Search Base". This identifies the container from which Okta should import groups. Groups outside the container are not imported into Okta. You can also use a group object filter to further restrict groups you wish to import.

b) When will the new Java LDAP agent available tentatively (I want a tentative timeline)?

Answer: It's available in EA (fully supported). We plan to GA the feature within the next quarter.

c) In case of user authentication where the user is present in multiple directories, what happens if the authentication against the higher profile master fails. Is it possible to configure in such a way that Okta attempts to authenticate to a lower profile directory if the bind with the higher profile master fails?

Answer: Authentication only happens against the primary profile master (if del auth is enabled). We currently don't have plans to fall back to a lower master (for del auth) if the primary fails.
 
This was selected as the best answer
Xilinx AdminXilinx Admin
Thanks for the answer Aaron.

Here is another question - can we specifically say for users A, B and C, AD is the primary directory for autheentication. But for users X, Y and Z, LDAP is the primary? If yes, how do we put a filter around it?
mad-Surya Chirravurimad-Surya Chirravuri
Hello, can you please answer the above question? We want to understand how to tell Okta to authenticate against a certain profile for a set of users - is this even possible?