<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7VWYSA3Okta Classic EngineAdministrationAnswered2024-04-15T10:42:01.000Z2017-02-28T16:18:00.000Z2017-02-28T23:37:28.000Z

BrianW.56036 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:20 AM
How does Okta work when an Active Directory account is disabled?

I need to understand the mechanism for how OKTA handles an AD account once it has been disabled.

 

If a user had an active OKTA session, would they be logged out?  Would they still be able to access accounts they had provisioned in their OKTA page?

 

 

How quickly does OKTA recognize that an AD account has been locked/disabled?

  • 2 answers
  • 3.42K views

  • marc.johnston1.4609982285157063E12 (Okta, Inc.)

    Hi Brian,

     

    If the user still has an active session the session will remain active even when the user is deactivated in Okta. You would need to go to the user in Okta and 'Clear User Sessions'. Deactivating a user will also remove any app assignments in Okta. So all apps will be removed from their Okta page.

     

    When you deactivate a user in AD that change needs to be brought into Okta through an import. Imports can either be scheduled (hourly/daily) on a regular basis or run manually. If you run the import manually it can be run right after you disable the user in AD.
    Expand Post

  • BrianW.56036 (Customer)

    Hi Marc

    Thanks for the reply.  I heard differently and now I'm confused, here's an excerpt from an email I've had going back and forth with a professional services consultant from OKTA, who's correct?

     

    Hi Brian,

     

    In both scenarios, the AD agent communicates to Okta using long polling method. AD agent establishes a connection wit Okta for 30 seconds. During the 30s, AD will push any updates or receive any requests from Okta for delegate authentication. 

     

    Scenario 1 from below:  AD account is disabled by IT, user tries to log in but an Okta sync hasn’t happened since the account being disabled. What is the conversation between OKTA and AD when authentication is attempted?

     

    Let us assume that IT has disabled the user on AD side, but sync has not happened with Okta. User tries to connect to Okta with AD credentials, when the long polling from AD agent establishes the connection with Okta, Okta will delegate the authentication to AD for that user. AD checks the user against AD status and sends a negative status to Okta and Okta will send a sign in failed to the user. 

     

    Scenario 2 from below:  Same situation IT disables the AD account, what is the conversation between OKTA and AD?

     

    Similar to above scenario, user is logged in and IT disables the AD account. the moment the account is disabled during the next connection that is established during the long polling will expire the Okta session and log the user out of Okta immediately.

     

    Hope this helps, please do let me know if you need more details. 

     

    Thanks and Regards,

    Madhu Ramanujam,

    Technical Consultant, Professional Services | Okta, Inc.

    Expand Post
This question is closed.
Loading
How does Okta work when an Active Directory account is disabled?