We have situation where we have to integrate OKTA with two AD's. AD1 is source of internal users for which we want to have delegated authentication turned ON so that users can use their AD1 password for authentication, We have end Users who are mastered within OKTA.
We will have to provision all users(along with password) into AD2 so that we can do a SWA based SSO with an application using AD2 as user datastore for authentication.
When we are trying to enable delegated Authentication for AD1, it is disabling Sync Password Option on AD2 configuration. when we try to enable Sync Password Option on AD2 confuguration, it throws me an error "Delegated Authentication and Password Push cannot both be enabled.".
Any one had a similar issue? any ideas how to achieve enabling both? any EA or Beta features which can help over this? any work arounds?
Viswanath, I was very close to having to do about the same thing you describe here.
For me it was a need to have MFA in front of an externally facing application that used our primary AD via LDAP as a profile and authentication repository.
My 'work around' concept was to stand up an alternative domain and have Okta provision accounts and groups into that domain that were related to the functionality of this application.
I wasn't going to rely on the in built password sync though so I didn't run into the problem you are describing.
I was going to have a scheduled job running in AD2 that would contiually (daily) reset users passwords in AD2. As this job was setting random passwords it would write those credentials into the users SWA application user credential object in Okta (http://developer.okta.com/docs/api/resources/apps.html#application-user-credentials-object). With this I could put MFA ontop of the SWA app in Okta and have a fair level of assurity that the credentials that were going to be exposed to the user would only be valid for a short period of time limiting the opportunity for a bad actor to bypass my MFA controls.
I'm not sure what your objectives are but perhaps something similar would work for you
I ended up finding a more paletable solution to provide MFA to my application that only speaks delegated LDAP authentication. If you happen to have this same use case i would love to hear about it.