<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jbSSAROkta Classic EngineAdministrationAnswered2024-04-30T09:18:25.000Z2016-07-21T14:16:57.000Z2016-07-21T14:16:57.000Z

dalen.56802 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
JIT Provisioning
With JIT Provisioning and Active Directory, I have seen conflicting documentation.  1.  User signs in to Okta with AD credentials and an Okta account is created.   and 2.  If you are using JIT Provisioning with Active Directory users, they must be imported first.

Which is correct?  OR what am I missing?  :o)

 

Thanks
  • 10 answers
  • 6.38K views
bu6b9 and miqxq like this.

  • j5v7c (j5v7c)

    Actually both could be correct depending on which agent you are using. The newer agents 3.3.5 and above and the new JIT process does not require the users to be imported.

  • gabriel.sroka1.4374539321839353E12 (Okta, Inc.)

    Hi Dale

    #1 will work if it's configured correctly. Do you have URLs for the conflicting documents so we can update them as necessary?

    Thanks.

  • dalen.56802 (Customer)

    From https://support.okta.com/help/knowledge_detail?id=kA0F0000000AY48: If you are using JIT provisioning with AD users, they must be imported first. After you enable JIT, import user accounts from AD. The import process defines the set of AD accounts that can be used to create Okta accounts (whether via JIT or the confirmation process). AD accounts that are not on the import list cannot be used to create Okta accounts.

     

    Expand Post

  • dalen.56802 (Customer)

    Security>Authentication>JIT Povisioning page also refers to importing users first.

  • dalen.56802 (Customer)

    Sooooo, define "configured correctly"   I have enabled JIT provisioning.  AD delegation test passes with the AD account I want to provision, but logging in with that account to stateradn.oktapreview.com fails.   Is there detailed documentation available to configure?

    Thanks

  • miqxq (miqxq)

    Glad I am not the only one that found the info on JIT for AD confusing. I must have read it five times. It's still not clear to me what turning on JIT would do for me...or more importantly any potential downside to doing so.

  • dalen.56802 (Customer)

    what I found is that an Import is required to enable JIT for AD users.  (using AD Agent 3.3.5)   As long as the NO IMPORT MATCH rule is set to Manually match new user and auto-activate is unchecked ( i believe this setting could be either checked or unchecked) .   I can do an import from AD, no match is found for the imported user.  User does NOT appear in the People list.  That user can then login in to the Okta Home Page with AD credentials. (UPN format)   At that point the Okta user account IS provisioned (just in time....  :o)  )

     

    Anyone from Okta care to confirm this behavior?

     

    Thanks!
    Expand Post

  • dalen.56802 (Customer)

    I do not have the dual OU selection.   JIT is enabled under Security > Authentication > JIT Provisioning.   What needs to be done for me to be able to see these and complete my evaluation for a client.  I am using v3.3.5 of the AD Agent

  • miqxq (miqxq)

    I had the same issue. Opened a case w. support and was told  they "need to activate a feature flag for the Enhanced Active Directory Integration". Once that was done, I was able to see the the dual OU selection. 

This question is closed.
Loading
JIT Provisioning