Naga KishoreI.14293 (Customer) asked a question.
How to use delegated authentication through Active Directory, where users are sourced from a different system
Greetings,
I am working on an usecase where there are employees and contractors. Employees are sourced from HR application and contractors are directly created in Active Directory and pulled to OKTA. So, in the profile sources, we have placed HR application as top priority. This helps us to read attribute data from respective sources (Employee user attributes from HR and contractor user attributes from AD). In this scenario, can I still enable delegated authentication for AD and let both employees and contractors get authenticated against AD credentials. (I am skeptical as users are not sourced from AD)
@Naga KishoreI.14293 (Customer)
SInce your employees are coming from HR to Okta , if they are not consuming any of the AD services (File/Print etc) you can avoid having to even create them AD unless absolutely required.
Assuming that they need AD services, then you can push them to AD (put them in a group which creates their account in AD via directory syncronization - after which they will show up as AD sourced), you will be able to use delegated auth against that account
HTH
-Bala
Hi @BalaP.90849 (Okta),
Thanks for prompt response.
I have put the HR application as top priority because we want the profile attribute to be sourced from HR and also trigger lifecycle changes as per changes in HR system. So, in this case, where user has both HR and AD, the users are showing as sourced from HR. Doesn't delegated authentication work in this scenario?
hi @Naga KishoreI.14293 (Customer)
yes.. It would work.
You can test this in your scenario with following setup ..
Import an user using CSV feed into Okta .. Set his password and activate .. he will be user sourced via CSV feed.. Then push him to AD.(via Group association & Directory Integration).. He will become AD sourced.. chnage users password on AD to something different .. You will now be able to DelAuth as that user (if dDelAuth is turned on that directory integration)
Also one other point i want to highlight is that profile mastering can control flow to attribute level .. so you have option to cherry pick which ones you want from AD and which ones you want from HR
HTH
-Bala
Hi @BalaP.90849 (Okta),
Thanks for the reply. I have implemented the aforementioned solution, and it is working fine. However, I am facing few caveats with having AD as the top priority source is,
To cover all the above use cases, I need to keep HR as higher priority profile source above AD so that employees will be sourced from HR (they will still get AD accounts) and contractors will be sourced from directly from AD.
Question: Based on your inputs, can we imply that it is mandatory to have user marked as (Profile sourced from Active Directory) to have DelAuth from AD?
@Naga KishoreI.14293 (Customer)
You need to make nsure you dont have attribute contention/collison (between your employee and Contractor)..
For delegated auth, you would need profile sourced by AD
HTH
-Bala