VisD.22812 (Customer) asked a question.
Okta SSPR: Syncing Password Across Multiple AD Domains with Delegated Authentication
An Okta user with an Active Directory profile source, whose identity is mapped to two AD domains using delegated authentication within okta, encounters an issue where Okta SSPR only syncs the password to one of the domains, not both.
Is there a way for Okta SSPR to allow users to change their password and have it sync to both AD domains? Or is the only solution to switch one of the domains from delegated authentication to password sync? Or to simply have two separate identities for the user.
Hello @VisD.22812 (Customer) , thank you for contacting Okta Community.
I've brought your question to the attention of our engineers. The configuration you describe should work by switching only one domain to password sync. For example, if you have domain A with delegated authentication and domain B with password sync, if the user signs in via delegated authentication from domain A, the password is synced in domain B. It could also be useful to have password sync agents in all DCs from domain A, that way when the user signs in via delegated authentication through domain A or changes their password using ctrl+alt+del in that same domain that will also sync the password to domain B.
An Okta SSPR should also sync the password in this case.
You can read more here:
Active Directory Password Sync and Delegated Authentication
Delegated authentication with Active Directory
Enable delegated authentication for Active Directory
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.