When Delegated Authentication (DelAuth) is enabled, Okta routes all authentication attempts through an Active Directory (AD) agent to a Domain Controller (DC) and does not store users' passwords. The Password Sync Agent can be used to pass password changes to downstream applications connected to Okta, but it is required only when syncing passwords to those applications.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Domain Controller (DC)
• Active Directory (AD)
• Delegated Authentication (DelAuth)
• Password Sync Agent

How does password synchronization work between Okta and Active Directory when Delegated Authentication is enabled?

The following describes how Okta handles password sync under different DelAuth configurations.

When DelAuth is enabled

• Okta does not store a password for the Okta user. All authentication attempts pass to a DC via the AD agent.

• When a DelAuth-enabled user changes their password from Okta, Okta sends the password change request to a DC via the AD agent. The DC performs the password reset and replicates the changes to other DCs.
• The Okta Password Sync Agent can pass password changes in AD to applications connected to Okta.
  • While Okta does not store a password for DelAuth users, the Password Sync Agent can pass that password to other applications connected to Okta.
  • The Password Sync Agent is required only when syncing passwords to downstream applications.
  • The Password Sync Agent must be installed on all DCs.
  • To minimize issues, select the correct Okta username format in the agent — either User Principal Name (UPN) or Security Account Manager (SAM) account name.

When DelAuth is NOT enabled

• Okta stores user passwords in Okta and can sync them down to AD via the Sync Password setting.
• Password changes made in AD do not sync with Okta.

Related References

• About delegated authentication with Active Directory
• Password synchronization use cases