Okta
Octa
Brief description
An overview of Okta's AD sync feature.
About the AD synchronization function
A feature that synchronizes users from on-premises AD to Okta. OUs can be synced, AD Security Groups are automatically synced to Okta Groups.
Sync User Groups from AD to Okta
Sync User Groups from AD to Okta
There are two ways to synchronize Active Directory users and groups to Okta.
- Manual user import
- User import by JIT provisioning
With manual user import, you can manually bulk import AD users and groups to Okta from the Okta management screen.
In user import by JIT provisioning, users are automatically created and attribute information is updated on Okta when logging into the Okta portal with an AD account.
It also describes a periodic import setting, such as once a day.
Manual user import
- Go to Directory > Directory Integrations and click the target AD
- ImportタブにてImport Nowをクリック
- You can choose the import method, select Incremental Import or Full Import and click Import
- Click OK when the number of scanned users and groups is displayed.
- Check the users to import and click Confirm Assignments
- Check Auto-activate users after confirmation and click Confirm
* By checking Auto-activate users after confirmation, the target user will be activated on Okta.
- Confirm that the imported users are displayed in the Assignments tab
- Confirm that the applicable user can log in
User import by JIT provisioning
- Navigate to Directory > Directory Integrations and click the target AD.
- Select To Okta in the Provisioning tab and click Edit.
- Check Create and Update users on login to enable JIT provisioning.
- Click Save
*You can set it so that manual import is not performed by checking Skip users during import in Do not import users
- Log in to Okta portal as a user on AD.
- Confirm that you can log in and that the user information is the same as on AD.
- Confirm that the new user has been added on the administrator screen as well.
Regular user import
- Go to the target AD setting screen and click Edit in To Okta on the Provisioning tab.
*It is possible to periodically link AD user information only for users newly created from AD to Okta manually or by JIT. It can be updated manually by the user or at JIT timing.
- Select the import timing from "Never" in the Schedule import item and click Save.
*In the above example, the timing is selected as "Every 6 hours"
[Supplement] Whether or not Activation Email is sent when AD user is valid
When you manually import a user from AD to Okta, by default an activation email is sent to that user indicating that it has been created. You can set whether or not to send emails in the To Okta Activation emails item on the Provisioning tab of the AD settings screen.
[Supplement] Matching conditions for AD users and Okta users
When manually importing users from AD to Okta, by default even if the Username or Email is different between AD and Okta users, if the first and last names match, they are considered the same, and the AD user and Okta user are You may unintentionally get connected.
Therefore, it is recommended to uncheck the Allow partial matches item of To Okta on the Provisioning tab of the AD setting screen.
By checking Allow partial matches, it is possible to create a new AD user instead of linking it to an Okta user.
* AD side: <name>@ad**.com, Okta side: <name>@ad**2.com Even if the Username is different, AD and Okta users are linked because the first and last names match. is attached.
* Other user matching conditions are described below.
https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-configure-import.htm
Mapping AD attributes to Okta
Describes how to map Active Directory attributes to Okta user attributes.
We will first explain how to add a custom attribute on Okta, then we will explain how to map the AD attribute to the added custom attribute.
Finally, we will verify whether the mapping has actually been performed successfully.
Add Custom Attributes to Okta User Profile
- Move to the Directory > Profile Editor screen.
- Click Okta Profile to add attributes for the Okta user's profile.
- Click +Add Attribute in the Attribute item.
- Enter the following items and click Save. (When string is selected for Data type)
- Display name
- Variable name
*Description can be entered arbitrarily. Other items can be set according to the conditions of attribute information.
- Return to Okta's Profile information screen. Click Custom in the Attributes item to check the added attributes.
- Confirm the contents of the added attribute, and the attribute addition setting is completed.
*Added attributes can be edited by clicking 🖊
Mapping AD attributes to Okta
- Move to the Directory > Profile Editor screen and click Mappings of the target AD.
- You can configure the mapping between AD and Okta, in the AD to Okta User tab, scroll down to the added attributes section.
- Set the AD attribute content to correspond to the corresponding Okta attribute and click Save Mappings.
*In the above example, set so that "lastName + firstName" on the AD side is mapped to the added attribute "test" on the Okta side (AD side lastName: sato, firstName: taro → Okta side test: sato taro)
- A message indicating that the mapping has been set will be displayed, and you will be asked whether or not to update the contents. Click Apply updates now.
Mapping Validation
- Move to the Directory>People screen and click the AD master user.
- Confirm that the corresponding attribute value is reflected in the Profile tab of the target user, and the setting is complete.
【補足】Okta上からADユーザマスターのプロファイル変更方法
The AD master user profile cannot be changed from the Okta admin screen by default. It can be edited by clicking the edit button of the target attribute value from the Attributes tab of Okta Profile in Directory>Profile Editor and changing "Inherit from profile master" to "Inherit from Okta" in Master priority.
By changing from "Inherit from profile master" to "Inherit from Okta", it is possible to change the profile information of AD master users from Okta (only changed attributes can be changed by clicking the Edit button)
Delegated Authentication
By default, Active Directory Mastered users cannot reset or change passwords or unlock accounts from the Okta management screen or Okta portal screen.
By adding rules in the AD password policy, Okta can also reset passwords, etc., reducing the management tasks on the AD side.
Add rule to AD password policy
- Go to Security > Authentication.
- Select Active Directory Policy on the Password tab and click Add Rule at the bottom.
- Enter the Rule Name, check the items you want Okta to implement, and click Create Rule.
- change password
- perform self-service password reset
- perform self-service account unlock
- If the created new rule is added, the setting is complete.
- Confirm that it is possible to reset the password and unlock the account of the AD mastered user from the Okta administrator screen, and that it is possible to change the password from the Okta portal setting screen of the corresponding user.
Inquiry/Document request
In charge of Macnica Okta Co., Ltd.
- TEL:045-476-2010
- E-mail:okta@macnica.co.jp
Mon-Fri 8:45-17:30