JavierN.04894 (Customer) asked a question.
AD Delegated Authentication - Make end users set their initial password after activation
Hello.
We are trying to implement the following workflow:
- Users are created on AD. AD is configured to use delegated authentication.
- When activating users, we want them to set their initial password
However, what happens now is that users are told in the e-mail that they are expected to know their 'Windows password'.
Is there any way to do this without users having to know a password beforehand? The closest thing I have achieved is to activate the users without sending e-mail, and then resetting their passwords. They receive a reset password e-mail, and clicking in the link they are allowed to complete their profile, and put their first password.
I'm OK to use API if needed!
Hi Javier,
You can do this with the help of API's. I am assuming that OKTA is doing the provisioning into the AD. Create the users with the status as Activated. with the help of the OKTA set Temp Password API, set the temporary password for each user. The API will return you the temp password & will set the status as Password Expired for those users. So they can login with this initial password & OKTA will ask to change the temp password on first login.
You need to do it in the loop from the Java code. I hope it helps.
Thank you Sandeep.
But that means I have to provide the users the temp password byother means, like sending a custom e-mail or some other process.
When users are created directly in Okta, that is not the case. The activation mail lets users set their initial password from the start.
Is there a way to replicate this behavior for users coming from AD sync?
I am having a very similar scenario and have drafted the following steps to resolve:
This kinda helps but gets complicated.