User16370330549592969269 (Customer Support Online Experience) asked a question.
Okta’s Active Directory (AD) and LDAP integrations offer a reliable solution for customers managing on-prem identities while leveraging the cloud. These integrations support agent deployment and security, authentication against on-prem directories (Delegated Authentication), sourcing identities (imports), and provisioning from Okta to AD/LDAP.
No matter where you are in your journey with AD and LDAP integrations, we’re here to help! Okta product experts will answer your questions - from the latest updates and best practices, to troubleshooting specific use cases, to understanding the roadmap and why certain product decisions were made.
Ask questions from today through Monday, February 3, 2025. Please use the ‘Answer’ button below to post your written questions.
Come back on Tuesday, February 4, 2025, from 9 a.m. to 11 a.m., to join the online session as Okta experts from product and engineering provide comprehensive, written answers to all your questions.
Want to learn more about this AMA session? Check out this blog post -> https://support.okta.com/help/s/blog/a674z00000014B4AAI/february-4-ask-me-anything-oktas-onprem-directory-integration?language=en_US
Thanks for the update. Looking forward to it!
Okta groups & AD Sync takes time to snyc profile changes; in some case it fails too.
Filtering/expression with AD has some limitations. Are there any changes to efficiently use these functionalities?
Thanks in Advance
Hi @NeethuT.49166 (Customer), filtering/expression exist at many leveling within an import processing, so I am unclear on exactly which stage you are referring to. But my best guess is that you are referring to the LDAP filter that admins can define in the AD -> Provisioning -> Integrations page, where admins are given the ability to build their own LDAP filter to find users/groups for an import. This feature is still under early access, so there are many improvements that are needed before we can make this generally available to all customers. What sort of filters and expressions can be used here is limited by what is supported by AD, and limitations there lies with those filters and expressions. A prime example will be using a filter with "memberOf=CN=SomeGroup,OU=MyOU,DC=MyCompany" as part of the User filter; "memberOf" is a calculated attribute and not readily available to read on a user object at the time of import, so we cannot easily detect any changes to the user by this filter.
While this is still under early access, this doesn't mean we can't make enhancements to it when we make it generally available, so please let us know of any shortcomings or bugs!
Where is the meeting sign-up?
Are there plans for a working incremental sync for LDAP directories?
Hi Bill, thanks for the question. I want to understand this correctly. Are you asking if LDAP integration will support an incremental import feature? We have that available today.
Are you facing some challenges with LDAP incremental imports and hoping we could enhance it? Please let us know on this thread.
Currently with the current AD/Ldap agents you can only disable an account in the on premises directory. Is there plans to provide the ability to actually delete an account from the downstream directory? This would be helpful for deprovisioning going forward.
Hi @KurtB.06063 (Customer) , thanks for your question. You are correct. In Okta, we generally deactivate user accounts as the default action. The deletion of user is possible as an additional next step. Today, by the time user deletion action in Okta is triggered, we already deactivate the user in AD hence breaking the link for subsequent updates.
We do not have plans at the moment to delete users in AD upon specific triggers from Okta. Automated deletion of users at scale poses significant risk and low upside. This is something we have considered in the past but decided not to invest in.
Hope this helps add some clarity.
I've been trying to get working with Live Ops now for 3 weeks and it's been nothing but problems. I have no understanding of what I'm doing. I've had a hybrid position before, but everything was verbally explained to me and I had a clear understanding. I'm reading and am not clear. Now, the Okta Brower Plugin is not working. I'm ultimately trying to get to the point of selecting a client opportunity, but can't seem to get to that point.
Apex partner FuseLogic here! We're working on Okta implementations since 2018. In many of our projects that involve an AD, the following features would greatly increase the ability of Okta to implement customer requirements:
We understand there may be 'more than meets the eye' in order to implement this, but these topics always come up, and depending on situation worst case we need to mitigate with on-prem powershell scripts. Happy to provide you with further details if appreciated!