JesseJ.06409 (Customer) asked a question.
For a given Active Directory, we can set the import schedule, and the quickest is 1 hour. Apparently some of our customers are upset that it can't be instantaneous. There isn't any way to make it shorter, or some sort of API to allow a customer to do a Import Now, is there?
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
May Okta Community Buzz
Stay ahead of the curve with Okta for AI Agents, new Okta Learning live sessions and labs, shout-outs, and top trending topics—all aimed at enriching your Okta journey.
I'd be interested in knowing more about the use-cases your customers have for this; sometimes we can get hung up on an assumed solution rather than working backwards from the desired outcome, and setting imports to happen continuously would probably have performance impacts. For example: is it that they want to be sure users will have Okta accounts when they first sign in? If so, Just-in-Time provisioning might achieve what you want.
We provide JIT provisioning; they don't want it.
But even with JIT provisioning, they would still be unable to login until an import happens.
Something else must be configured incorrectly, then, because that's explicitly what JIT is for: creating and updating users that have not yet been imported.
Then what could I be missing? I have "JIT provisioning" turned on as well as "Enable delegated authentication to Active Directory". But there still needs to be an import so the user shows up under "Import Results".
If you look at the first link in the two I bulleted in my previous reply you'll see that:
"If delegated authentication is enabled, you do not need to import users from AD first for JIT provisioning to create Okta accounts.
"If you do not have delegated authentication enabled, you must import the AD accounts first, and they must appear on the imported users list for JIT provisioning to create Okta accounts."
So if your delegated authentication is correct, you don't need to import users first: Okta will create those accounts whenever a user signs in for the first time. It's only if you're not using delegated authentication that you must import them first to have JIT activate the users.
But I can't. Guess I'll open a case.
For several years, I had similar issues with the one-hour import schedule, and because we were using a custom login page that didn't support it, just-in-time provisioning was not an option. Last year, I finally managed to talk management into retiring the custom login page in favor of the standard tenant login page, and enabled just-in-time provisioning. It has eliminated almost every complaint I had that related to scheduled imports. Newly-created AD user accounts get imported immediately if that user attempts to sign in before the scheduled import. AD account changes, including group membership changes, are imported and applied at the user's next sign in. The only thing missing is that new AD groups don't get imported until the next scheduled import (or an on-demand import).
I don't understand. I have JIT provisioning turned on, but a user still can't login until an import happens.
The only other thing I can think of is checking the boxes to auto-confirm and auto-activate new users. We've always had those checked so I'm not exactly sure about the sequence of events, but I could see that JIT might pull in a new user from AD at login, but they might get stuck if you're not auto-confirming and auto-activating their Okta accounts.
Check your System Log for events related to just-in-time provisioning (just to see if it's actually working) - enter this query:
eventType eq "system.agent.ad.realtimesync"
At least one event of this type should occur every time an AD-mastered user signs in, which indicates that the Okta AD Agent is attempting to pull the latest account info for that user from AD.