How to setup Okta to provision AD accounts and still use delegated authentication? Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0taia0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Phil IbarrolaPhil Ibarrola 

How to setup Okta to provision AD accounts and still use delegated authentication?

Hello Community,

I thought I saw a post regarding this a while back, but I cannot seem to find it anywhere.

We are directly creating Okta users via API calls, then assigning them to a group in Okta which triggers the creation of an associated AD account.  We would then want the Okta account to use AD for delegated authentication.  I believe there is some sequence of events we need to follow to get this to work correctly.

Thanks,
Phil
 
Best Answer chosen by Niki (Okta, Inc.) 
James FloresJames Flores (Okta, Inc.)
Hi Phil,

It sounds like you need to add a step to assign the AD application to the users after they have been provisioned to AD. If a user is assigned an AD app then they become AD mastered and del auth against that AD (granted del auth is enabled).  I would start by getting the AD app application ID, then write the API call that assigns the application. What would need to be tested is weather or not the user can be assigned the provisioning group and be AD mastered, if not then you would need to write another API call that removes them from that provisioning group prior to assiging them the AD app. Also take into consideration to what happens to the user when they are removed from the provision group on the AD side.You may have to have an import ran to auto match/confirm the user.  Sorry if this generates more questions, custom configurations and unique flows tend to generate more questions. :)   Hope this helps your testing.