ykhvj (ykhvj) asked a question.
We have customers doing an SSO authentication into our target Okta dashboard using inbound SAML 2.0 identity providers. The Identity Provider definition performs JIT to create the user's Okta profile in our hub. That profile is matched with their user account in our Active Directory using Universal Directory. It works great.
However, we now have customers who use Okta on their side which means they must use the Org2Org application on their spoke/source organization to authenticate to our hub/target organization.
Their spoke users can authenticate into our hub Okta dashboard, but their list of applications is empty because instead of creating an AD-mastered Okta profile, our Identity Provider JIT is creating an Okta-mastered user profile for them with no association to their Active Directory user account.
This seemed to work before we purchased Universal Directory.
Any ideas on how to get an inbound SAML Identity Provider in an Okta/Okta Org2Org hub to associate with Active Directory instead of creating a clueless Okta-managed profile?
i think , instead org2org you can choose inbound saml.? (create saml template in spoke) connects to hub match against attributes
This same behavior is happening even with normal inbound SAML identity providers: Identity Provider JIT does not do callbacks to our Active Directory.
It appears that Universal Directory only wants to go one way or the other, not both.
I also think JIT through an Identity Provider is bound to ONLY working with Okta-mastered user accounts EVEN IF Universal Directory, Active Directory Agents, and AD Delegation is configured in our Okta organization.
The reason we are using Org2Org is because Okta Support stated that in order to federate between 2 different Okta orgs, a regular inbound SAML Identity Provider will not even accept a connection between to Okta orgs let along implement JIT #sadpanda
Correct, JIT creats okta mastered accounts not AD mastered - But i also noticed, you said before universal directory - you are able to create AD mastered users via JIT.?? Can you shed some light here.?
i see how you creating the AD users .
This is an interested corner of Directory configuration that I don't understand.
Before I proceed, I want to make sure and understand:
All these questions are basically so I don't break something simply by adding an AD-mastered group to the Directory. This looks like a promising idea. I just want to make sure I understand it better.