poj84 (poj84) asked a question.
Active Directory's ObjectGuid is hard matched to Okta's ExternalID. When a user is moved to a new forest they receive a new ObjectGuid and those 2 attributes no longer match. Both are immutable. How can that match be established again in large enterprise environments where uptime is crucial?
Hi Kevin - thanks for your question! This has been escalated to support who should be reaching out shortly. Thanks!
Molly,
Thank you, however I have an active ticket and we are making progress but I did want to ask if others had the same issue for which they needed a solution. Perhaps more than one way to do things...sort of thing. 🙂
Thank you for posting on our Community page.
Firstly, you can still match the users even though they don't have the same attribute ( AD-ObjectGuid and Okta's ExternalID ). The users can be matched with a rule that appears under AD settings, at the Match Settings section. The accounts can be matched by email, username or any attribute that is exactly the same on both of the accounts (Okta and AD).
Furthermore, if this is not working, you could open a new case that will be assigned to an engineer for further troubleshooting.
Thank you,
Flaviu Vrinceanu
Technical Support Engineer | Okta
Flaviu,
Thank you for your reply.
As I mentioned, I do have an open case. I am looking to share my experience for others and gather other ideas.
The matching *is* in fact done by email.
However, when the ObjectGuid of the user changes everything works fine until you change any attribute on the AD side. For example, if I change a user's description, this triggers an "exact match" issue. Of course, Okta refuses to import the change.
Thank you,
Kevin
so support had no answer for me last week(case still open)
was ok answer but with the info made a better answer
what I did was created Okta attributes for both domain
Domain-a-immutableID
domain-b-immutableid
then wrote expression that is legacy ID exist use it if not use new domain.
user.domain-a-immutableID != null ? domain-a-immutableID : user.domain-b-imutableid
(this field is at create only)
so now user get legacy domain unless it does not exist then they get new domain.
there is also a powershell to update users Immutable id in O365 so I will get to a migration point where most are in new domain... I will export ID from Okta and run a script to mass update O365 to new domain ID then remove the legacy domain mapping.
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
so support had no answer for me last week(case still open)
I found this https://support.okta.com/help/s/article/After-adding-a-second-AD-instance-provisioning-issues-for-Office-365-are-encountered
was ok answer but with the info made a better answer
what I did was created Okta attributes for both domain
Domain-a-immutableID
domain-b-immutableid
then wrote expression that is legacy ID exist use it if not use new domain.
user.domain-a-immutableID != null ? domain-a-immutableID : user.domain-b-imutableid
(this field is at create only)
so now user get legacy domain unless it does not exist then they get new domain.
there is also a powershell to update users Immutable id in O365 so I will get to a migration point where most are in new domain... I will export ID from Okta and run a script to mass update O365 to new domain ID then remove the legacy domain mapping.