With JIT Provisioning and Active Directory, I have seen conflicting documentation. 1. User signs in to Okta with AD credentials and an Okta account is created. and 2. If you are using JIT Provisioning with Active Directory users, they must be imported first. Which is correct? OR what am I missing? :o)
From https://support.okta.com/help/knowledge_detail?id=kA0F0000000AY48: If you are using JIT provisioning with AD users, they must be imported first. After you enable JIT, import user accounts from AD. The import process defines the set of AD accounts that can be used to create Okta accounts (whether via JIT or the confirmation process). AD accounts that are not on the import list cannot be used to create Okta accounts.
Sooooo, define "configured correctly" I have enabled JIT provisioning. AD delegation test passes with the AD account I want to provision, but logging in with that account to stateradn.oktapreview.com fails. Is there detailed documentation available to configure? Thanks
Glad I am not the only one that found the info on JIT for AD confusing. I must have read it five times. It's still not clear to me what turning on JIT would do for me...or more importantly any potential downside to doing so.
what I found is that an Import is required to enable JIT for AD users. (using AD Agent 3.3.5) As long as the NO IMPORT MATCH rule is set to Manually match new user and auto-activate is unchecked ( i believe this setting could be either checked or unchecked) . I can do an import from AD, no match is found for the imported user. User does NOT appear in the People list. That user can then login in to the Okta Home Page with AD credentials. (UPN format) At that point the Okta user account IS provisioned (just in time.... :o) )
Hi Dale Under AD > Settings, do you have an option for JIT Provisioning, Create and update users on login? See https://support.okta.com/help/articles/Knowledge_Article/About-Okta-s-Enhanced-Active-Directory-Integration
I do not have the dual OU selection. JIT is enabled under Security > Authentication > JIT Provisioning. What needs to be done for me to be able to see these and complete my evaluation for a client. I am using v3.3.5 of the AD Agent
I had the same issue. Opened a case w. support and was told they "need to activate a feature flag for the Enhanced Active Directory Integration". Once that was done, I was able to see the the dual OU selection.