MichaelC.84328 (Customer) asked a question.
For service account in Active Directory OU that excluded from import to Okta, how can I add import or add that to Okta account and assign an APP, so that account can access app via Okta SSO (SAML)?
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
For a user to be imported from AD to Okta, whether a service account or any other, it must be in an OU connected to Okta. Any OU not connected to Okta will not be scanned for users. You will need to either connect the existing OU to Okta, or move the user object for the service account in AD to an OU that is connected to Okta.
Once the user is in an OU connected to Okta, you will be able to import them into Okta and create a corresponding user account there. Once the account is in Okta, you can proceed to assign apps.
Meanwhile, on my scheduled support call with Sergiu Costea at Okta this afternoon, he indicated that, because this account in AD was restricted to login to only given workstations, the Okta login would fail unless from that computer; I did that, but my testing has disproved that theory (account can login to workstation but not to Okta), so looking for more help…
Michael Cazier
Sr. Systems Administrator
T: 925.227.7272
M: 415.361.8849
Michael.Cazier@elliemae.com
www.elliemae.com<http://www.elliemae.com>
[EM_family_sig_NOV2017_ALT.jpg]<http://www.elliemae.com/>
I was all set to tell you that this couldn't possibly work, because you're telling AD to only allow the account to log on from a specific named workstation, but when you log into Okta from your browser, you're not logging into AD from your local machine, so the attempt is doomed to fail. And then I had a light bulb moment...
Add the name of your Okta AD Agent server to that account's logon restrictions. Assuming you're using delegated authentication, when you log into Okta, it is the AD agent server that talks to Active Directory to perform the authentication. Adding that name to the list won't allow the account to actually log into that server interactively, but it tells AD that it's OK to authenticate the user through that server.
I just tested this theory in our preview environment and it seems to pan out. First I restricted a test account from logging in from anywhere except my local machine, and as you also observed, the Okta login attempt failed with a "NOT_SPECIFIED" error in the system log. Next, I added the name of our AD agent server to the account's restrictions, and then I was able to log in successfully.
Going back to your original question, as Adam stated, I don't believe an account can be imported into Okta unless its parent OU is included in the import configuration settings.
Michael Cazier
Sr. Systems Administrator
T: 925.227.7272
M: 415.361.8849
Michael.Cazier@elliemae.com
www.elliemae.com<http://www.elliemae.com>
[EM_family_sig_NOV2017_ALT.jpg]<http://www.elliemae.com/>
Michael Cazier
Sr. Systems Administrator
T: 925.227.7272
M: 415.361.8849
Michael.Cazier@elliemae.com
www.elliemae.com<http://www.elliemae.com>
[EM_family_sig_NOV2017_ALT.jpg]<http://www.elliemae.com/>