MarcD.26863 (Customer) asked a question.
Hello community!
My organization doesn't currently run any Microsoft based infrastructure. We've heavily invested in Universal Directory and it is our source of truth for users and access. Now, we're thinking about adding a desktop as a service (DaaS) system ( currently looking at Amazon Workspaces) to the mix of services and implementing Active Directory seems like a necessary step to enable users to use their Okta creds. I have been doing some preliminary research on creating an identity based solution and most of Okta's documentation talks about having AD as the source of truth. Kind of assuming that I have that. I don't. I use Universal Directory as my source of truth.
Now, my question:
So I may allow my users to log in to a hosted Windows instance using Okta credentials, can I set up an integration from Okta to Active Directory where Universal Directory is the parent?
The outcome is that I want the IT admins and Okta rules to make changes in Universal Directory. Changes made in UD would cascade down to Active Directory that I need to host for the DaaS set up.
Thanks in advance!
that is indeed possible, if you have a JML process automated in the UD it can cascate to AD as well, settings AD as the downstream process is a straightforward process that can allow you to sync the Okta profile and password, if you are interested in having the DaaS login be handled via AD but still keep a single password across all systems. This is what Okta offers as to AD setup: https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-configure-provisioning.htm
Hi Marc Dantona,
You can set up an integration from Okta to Active Directory where Universal Directory is the parent, being the source of truth.
To integrate and sync users from Okta to Active Directory, ensure the following steps have been taken care along with the below mentioned pre-requisites:
Pre-requisites:
1. AD service account to run the Okta AD Agent installer
2. Okta service account to run Okta AD Agent service with the listed privileges.
a) Read users, OUs, and groups
b) Authenticate users
c) Change user passwords (by supplying the current password)
d) Set user passwords (administratively, without the current password)
e) Create and update users, attributes, and memberships in AD with values pushed from Okta
Steps:
1. Integrate AD with Okta by installing the Okta AD Agent on the AD server by using the Okta Service account
2. Confirm if all the OUs created in AD have been listed in Okta
3. Manage the users and group them accordingly in Okta
4. Navigate to the groups tab> manage directories> select whichever the OU you need to sync the users to
With all these steps in the process, to allow users to log in to a hosted Windows instance using Okta credentials, kindly get confirmed that the delegated authentication will be disabled, and “sync password” feature will be enabled from Okta to AD.