TysonP.87905 (Customer) asked a question.
Good Evening!
My company is currently in a MnA situation with multiple companies. We are working toward consolidating into a single AD domain but for the time being there is multiple.
Prior to us purchasing Universal Directory, we began by syncing users from the other domains into the "primary" domain and then assigning application access there. So essentially there is 2 identical user objects, but are functionally independent. This works, but ultimately SSO is not working as intended.
Now, we are implementing M365 and I am running into users being promoted for login when accessing outlook on-prem. I want to have SSO work correctly if at all possible.
My question is, how would you approach this issue?
The user is logging in on their original domain, with their original domain user, but the Okta account is profiling from the new source domain.
Thanks!
Hi @TysonP.87905 (Customer) , Thank you for reaching out to the Okta Community!
DSSO would not work with a different account as it's based on the device login and Kerberos authentication.
The best I can think of is leveraging IDP routing rules for your various needs.
https://help.okta.com/en-us/Content/Topics/Directory/ad-dsso-update-default-idp.htm
https://help.okta.com/en-us/Content/Topics/Security/configure-routing-rules.htm
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
The October issue of the Okta Community is here and packed with tips on certification, how to earn badges, and new releases. Let us help you stay connected.