SteveB.25212 (Fidelity Life) asked a question.
Currently my organization has Active Directory setup as the primary source of truth for all user data including password.
We want to setup OKTA to manage our password resets. I understand this is a supported feature, however I am concerned about some possible problems with this implementation.
Based on what I read here https://help.okta.com/en/prod/Content/Topics/Directory/Security_Using_Sync_Password.htm the process of enabling OKTA to AD sync is incredibly easy, however it does not answer 1 critical question.
If almost ALL of my OKTA users were originally sourced from AD and the ONLY password they have is via AD, will their password remain the same after I enabled OKTA to AD sync.
For example in this scenario:
- John Smith is created in AD
- AD syncs account to OKTA
- AD syncs account to Office365 for email account creation
- John Smith logs into OKTA using his AD account password of "SuperSecretPassword1234"
- I disable delegated authentication,
- When presented with the "Disable Active Directory Authentication" pop up I select 'DON'T create Okta password.'
- I enable Password sync from OKTA to AD.
Can John Smith still login to:
- Can John Smith still login to OKTA in this scenario using the password "SuperSecretPassword1234"?
- Can John Smith still login to his email using that same password?
- Can John Smith still login to his computer with that same password?
- Can I as the admin still login to OKTA using my previous AD password or do I have to click the "Create OKTA password" option in order to be able to stay logged in and to have access to OKTA?
Thanks in advance to any help anyone can provide.
Hi Steve,
Reading your question (...We want to setup OKTA to manage our password resets) it can lead to think that you want AD users to reset their AD password using Okta, this can be done and here is the document on how to accomplish that:
https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-manage-password-reset.htm
Assuming that what you want is users to change their password in Okta and push that password to AD, here are the answers:
If almost ALL of my OKTA users were originally sourced from AD and the ONLY password they have is via AD, will their password remain the same after I enabled OKTA to AD sync?
As the document mentions, you need to disable delegated authentication (DelAuth) in order for Okta to AD password sync to work. When you have DelAuth enabled, there is no Okta password because the password used to login to Okta is the AD password, this being said, after you enabled OKTA to AD sync, the AD password will no longer allow access to Okta and you will need to reset the Okta password for the users. New Okta password will be pushed to AD.
To reply some questions in your scenario:
If you have further questions please open a support case.
Thank You,
Jonathan - Okta Global Customer Care