3jjdw (3jjdw) asked a question.
Deny Authentication into Okta based on an external LDAP.
The external ldap is connected to Okta thru ldap Agent. I would like to know how I could deny authentication based on an ldap attribute. Let's say I have an ldap attribute (denyUser) and based on a value of the attribute (150), the user should be denied access.
Now I could do this using okta attribute mapped with denyUser ldap attribute, create a rule and assign group to that rule, and then have a sign on policy. But the okta attribute will have a delay based on the ldap sync schedule. I would like to be it real time i.e. a change in the denyUser attribute in ldap should decide the login to Okta. Is there a way an ldap attribute could be used/checked by Okta directly to deny login to Okta?
Hi Manoj,
You should be able to accomplish the real-time attribute update by enabling JIT in the LDAP settings within Okta. This will ultimately force a real-time update through the LDAP agent whenever the user logs into Okta, OR whenever an Okta admin accesses the user's profile in the Okta Admin console.
Feel free to reach out to Okta Support if you have any issues enabling this.
Thanks,
Brian Anderson
KCS Specialist
Okta