<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7V5KSAVOkta Classic EngineAdministrationAnswered2025-06-14T13:45:02.000Z2015-12-16T06:49:17.000Z2018-08-12T04:16:48.000Z

66o51 (66o51) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:20 AM
Authentication with multiple directories and manual LDAP user import

Hi,

 

We currently have AD configured and of course it is the primary. We want to configure an LDAP directory (whcih we use for external users) and that has around 5 lakh users. Since there are huge number of users, we don't want to do a full import or a scheduled import for the directory (Want to turn off the scheduled import completely), but rather want to manually import only a set of users/groups into Okta so we can provision application to those users.

 

I also want to understand how Okta authenticates a user who happens to be in both directories.

 

Thanks in advance

 

Regards,

Surya Chirravuri

Access Management administrator

Xilinx

  • 5 answers
  • 1.26K views

  • ayee1.3418502845013904E12 (Okta, Inc.)

    Answers inline:

     

    a) I understand that user provisioning for current agent is Just in time, but how does it work for groups? And how do I pull into Okta only the groups I will need to configure my applications (and not all groups).

     

    Answer: Our agent now performs JIT and imports (EA). Both methods import users and groups. Currently, you can scope a "Group Search Base". This identifies the container from which Okta should import groups. Groups outside the container are not imported into Okta. You can also use a group object filter to further restrict groups you wish to import.

     

    b) When will the new Java LDAP agent available tentatively (I want a tentative timeline)?

     

    Answer: It's available in EA (fully supported). We plan to GA the feature within the next quarter.

     

    c) In case of user authentication where the user is present in multiple directories, what happens if the authentication against the higher profile master fails. Is it possible to configure in such a way that Okta attempts to authenticate to a lower profile directory if the bind with the higher profile master fails?

     

    Answer: Authentication only happens against the primary profile master (if del auth is enabled). We currently don't have plans to fall back to a lower master (for del auth) if the primary fails.

    Expand Post
    Selected as Best

  • kvenkatraman1.3831586141971396E12 (Okta, Inc.)

    Our LDAP agent is quite different from AD agent today. We use Just in time provisioning. Basically at the time of user logging into Okta we pull information from directory their profile and group membership. We are coming up with new java LDAP agent which will be available soon where you can use OU filtering and import users accordingly.

     

    If the user is matched with two directories and del auth is turned on. Okta authenticates the user using the higher profile master.
    Expand Post

  • 66o51 (66o51)

    Thank you Krishnan. I appreciate the quick response. I have couple more follow up questions:

     

    a) I understand that user provisioning for current agent is Just in time, but how does it work for groups? And how do I pull into Okta only the groups I will need to configure my applications (and not all groups).

     

    b) When will the new Java LDAP agent available tentatively (I want a tentative timeline)?

     

    c) In case of user authentication where the user is present in multiple directories, what happens if the authentication against the higher profile master fails. Is it possible to configure in such a way that Okta attempts to authenticate to a lower profile directory if the bind with the higher profile master fails?

     

    Regards,

    Surya
    Expand Post

  • ayee1.3418502845013904E12 (Okta, Inc.)

    Answers inline:

     

    a) I understand that user provisioning for current agent is Just in time, but how does it work for groups? And how do I pull into Okta only the groups I will need to configure my applications (and not all groups).

     

    Answer: Our agent now performs JIT and imports (EA). Both methods import users and groups. Currently, you can scope a "Group Search Base". This identifies the container from which Okta should import groups. Groups outside the container are not imported into Okta. You can also use a group object filter to further restrict groups you wish to import.

     

    b) When will the new Java LDAP agent available tentatively (I want a tentative timeline)?

     

    Answer: It's available in EA (fully supported). We plan to GA the feature within the next quarter.

     

    c) In case of user authentication where the user is present in multiple directories, what happens if the authentication against the higher profile master fails. Is it possible to configure in such a way that Okta attempts to authenticate to a lower profile directory if the bind with the higher profile master fails?

     

    Answer: Authentication only happens against the primary profile master (if del auth is enabled). We currently don't have plans to fall back to a lower master (for del auth) if the primary fails.

    Expand Post
    Selected as Best

  • 66o51 (66o51)

    Thanks for the answer Aaron.

     

    Here is another question - can we specifically say for users A, B and C, AD is the primary directory for autheentication. But for users X, Y and Z, LDAP is the primary? If yes, how do we put a filter around it?

  • j5v7c (j5v7c)

    Hello, can you please answer the above question? We want to understand how to tell Okta to authenticate against a certain profile for a set of users - is this even possible?
This question is closed.
Loading
Authentication with multiple directories and manual LDAP user import