7aydp (7aydp) asked a question.
What is the user experience when syncing multiple domains if a user has an account in both domains?
We have two AD domains with trust, and all users have an account in domain A and some users also have an account in domain B. We are currently only syncing domain A to Okta and users sign into their desktops with this domain credential. However, there are some users who will need to sign in to workstations with domain B which would "break" our current DSSO configuration since they would be trying to sign in to domainA.okta.com while logged into their PC with domainB. Of course, users can go to /login/default and enter credentials, but that's not their current workflow. Has anyone done something like this? How is it to manage and for end users to utilize?
Courtney - we've done this for 6 separate AD forests and it works great. You just need to have AD & IWA agents in each forest connected to the one okta org. Each users logs into a W/S in their own domain. For IWA, we setup a new dns zone and created CNAME records pointing to the true DNS host name. Contact me offline if you want to go over it in detail.
Hi Courtney,
Happy Holidays!
My name is Dragos and I'll be handling your question also provide you with more insight on how can this be achieved.
If you don't have JIT enabled, this can be easily achieved by integrating the domain 2 as well in Okta. Installing and configuring the AD Agent on the second domain will provide you with the option to import the users into Okta. With Delegated Authentication, users will not have their AD credentials parsed to Okta.
Reference link:
Install and configure Okta Active Directory agent - https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-install.htm
Thank you,
Dragos Milea
Technical Support Engineer
Okta Customer Global Care
****With Delegated Authentication, users will have their AD credentials parsed to Okta.