3p0fa (3p0fa) asked a question.
Password changes not synced to Okta for SWA use
Hi, We have an application set up to go to an external web page and use the Okta plug in to login with SWA. Users access this with a link so they don't need to logon to Okta first.
The sign-on method is set to use the Okta password which is the same as their AD password, we are using delegated authentication.
This works fine until someone changes their AD password, they are then unable to logon using SWA. It will work once they have logged on to their Okta portal and presumably at that point their AD and Okta password are synced. Is there another way to sync the password automatically in the background without the user needing to logon to the portal?
Many Thanks, David
Hi David,
Couple things are at play here. When Okta Delegated Authentication is in use, user passwords are not synced from AD to the users' Okta Profile. You can either sync passwords or use Delegated Auth, not both. When you configure a SWA app and specify that their password is the same as their Okta password (thusly their AD password), this only enables a message to appear when they first launch the app via the chiclet on the Okta User Dashboard that tells the user what password to enter. It does not automatically use their AD password because Okta does not have that stored.
It sounds like you're adding a SWA app to Okta that is using its own authentication method such as LDAP to query against AD. So when a user enters their AD password into the credential prompt, it is storing that password. The user then changes the password and goes to this app and SWA isn't aware that the app password (remember using LDAP or similar) has changed.
Let me know if I make sense here and that you are using Delegated Auth and not using Password Syncing.