CarlM.28001 (Customer) asked a question.
How can I assign an application to all members of a specific active directory domain easily?
How can I assign an application to all members of a specific active directory domain easily?
- James Garvin - Okta (Okta)You could create a group rule based off an attribute in that domain or add an attribute in that domain to dynamically assign users to a group. Then have the app assigned to the group.
- gabriel.sroka1.4374539321839353E12 (Okta, Inc.)Hi CarlAnother option would be to import the "Domain Users" (or other) group for a specific AD domain into Okta and use that.
- CarlM.28001 (Customer)Gabrial, I actually did that, since I have a specific OU for my OKTA groups (so it won't parse through the 1000's of groups we have), I created an AD for the app and then nested domain users in that group. Thanks guys!
- j5v7c (j5v7c)You could look at the first part of the Windows CN. This should contain the Domain name for the AD
- CarlM.28001 (Customer)Right, I get that, but how do you take that, and automate group membership by domain using it?
- gabriel.sroka1.4374539321839353E12 (Okta, Inc.)Hi CarlAre you familiar with Group Rules?https://support.okta.com/help/articles/Knowledge_Article/Using-Group-Membership-Rules AD is an "app". It has an attribute called app.namingContext which is the AD domain, eg, "domain1.local". You could:Create an Okta user attribute called "domain" (https://help.okta.com/en/prev/Content/Topics/Directory/Directory_Profile_Editor.htm?cshid=Directory_Profile_Editor#Directory_Profile_Editor1)Map app.namingContext to Okta user "domain" attributeCreate an Okta group for each AD domain, eg "domain1", "domain2", etc.Create a Group Rule for each AD domain, eg:
- IF user.domain equals "domain1.local" THEN Assign to "domain1" group
- IF user.domain equals "domain2.local" THEN Assign to "domain2" group
Expand Post - CarlM.28001 (Customer)I'm not familiar, but it looks like I"m about to be. Thanks a ton for this, I'll let you know if I have any other questions.
- CarlM.28001 (Customer)I see the problem, I do not appear to have group rules available in my org. Do you know if this is a function of Universal Directory?
- CarlM.28001 (Customer)disregard, I was able to get support to enable group rules, thanks again for your help, this appears like it shoudl work pretty easily.
This question is closed.
- IF user.domain equals "domain2.local" THEN Assign to "domain2" group