The Okta Active Directory (AD) agent enables you to integrate Okta with your on-premise Active Directory (AD). AD integration provides delegated authentication support, user provisioning and de-provisioning. To enable AD integration, you must install the Okta AD agent, and import AD users and groups into Okta.
Many enterprises today are looking to implement a single-sign on (SSO) solution that enables their users to easily access all of their cloud and web applications. A key requirement of these solutions is Active Directory integration, which makes it possible to connect cloud applications back to a single source of truth, Active Directory.
Microsoft recommends Active Directory Federation Services (AD FS) to integrate Active Directory for cloud applications. While AD FS is “free,” there are a number of hidden costs associated with it, including hardware purchase, setup, and ongoing maintenance.
“The cloud provisioning model that Okta is built on is very attractive because our business is becoming ecosystem-based, not just enterprise-based.”
– Mike Towers, CISO, Allergan
It’s time to rethink AD FS
If one were to think about what comprises a complete identity and mobility management solution, it would include automated provisioning, lifecycle management, mobile app management, and reporting from a single management interface. It would also be vendor-neutral, easy to set up, and support any cloud application.
AD FS doesn't fit the bill. It meets none of the above requirements. In its most basic configuration, AD FS requires manual integration with Active Directory, using three types of servers: the Federation Service, the Federation Service Proxy, and the Web Server Agent. That becomes six servers when configured for high availability. Add more domains and the scalability problem becomes evident. AD FS has seen its day.
Okta believes in reducing on-premises server management as much as possible. Its 100% cloud-based platform can eliminate dependence AD FS servers. Okta can also help customers avoid using Azure AD Connect (DirSync) to synchronize Active Directory to Azure AD. And they don’t have to use Microsoft Identity Manager (MIM) for provisioning. Using Okta for AD integration can save a business $50K – $100K or more, and shave 14–20 months off of deployment time.
Okta simplifies and accelerates Microsoft deployments
Simplify and accelerate Microsoft deployments
Organizations can achieve simple and fast Microsoft deployments using Okta’s turnkey, vendor-neutral identity solution. Here are some of the ways Okta can solve business challenges around AD integration.
Easy and powerful identity federation from Active Directory
Okta integrates with Active Directory using lightweight agents that run on any Windows machine with read access to the domain controller, and require no changes to firewall settings. Okta supports delegated authentication, provisioning and deprovisioning, directory sync, and AD password management. Whenever a change occurs in either direction between Active Directory or Okta, those changes are synchronized incrementally. An administrator can deactivate a user in Okta Universal Directory, and the user’s record in Active Directory will also be deactivated instantly.
Efficient domain consolidation
When mergers and acquisitions bring different companies and their resources together, consolidating domains, tools, and approaches to security can be a challenge. A modern, cloud-based approach can speed up and simplify this process. Existing users and groups from AD and LDAP can be imported into Okta, where the attributes can be transformed, manipulated, and logic applied to ensure data is clean and reconciled during the process.
Organizations can use Okta to connect an unlimited number of directories, consolidate users and groups from untrusted forests, and synchronize them all to a central Active Directory. Okta will manage these directories from a central admin console. Then once the user is authenticated to the AD domain, Okta will authenticate them into the cloud and to the applications they need.
No credentials stored in the cloud, no out-of-sync passwords
When Okta is configured for delegated authentication to Active Directory, no AD credentials are stored in the cloud, and passwords never get out of sync. Unlike Windows Azure Active Directory and on-premises Azure AD Connect (DirSync), Okta maintains continuous connectivity with AD with its on-premises agents. When an AD user logs in, Okta agents check the password stored in AD in real-time.
Easy password reset
It doesn’t matter whether the user’s account is mastered in Active Directory or in the Okta Universal Directory. If a user changes their password via their Windows PC or an on-premises password management tool, Okta instantly uses that new password. Users can also change or reset their password through the Okta portal.
Start with Active Directory, go everywhere
Okta enables Active Directory identities to reach more than 6,000 pre-integrated applications, infrastructure and devices through the Okta Integration Network.
Okta's cloud-based identity and access management service acts as a single integration point that provides a highly available solution for all cloud and web-based applications.
- OIDC OpenID Connect is an extension to the OAuth standard that provides for exchanging Authentication data between an identity provider (IdP) and a service provider (SP) and does not require credentials to be passed from the Identity Provider to the application.
- SAML Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP) that does not require credentials to be passed to the service provider.
- SWA Secure Web Authentication is a Single Sign On (SSO) system developed by Okta to provide SSO for apps that don't support proprietary federated sign-on methods, SAML or OIDC.
- Create Creates or links a user in the application when assigning the app to a user in Okta.
- Update Okta updates a user's attributes in the app when the app is assigned. Future attribute changes made to the Okta user profile will automatically overwrite the corresponding attribute value in the app.
- Deactivate Deactivates a user's account in the app when it is unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta.
- Sync Password Push either the users Okta password or a randomly generated password to the app. This feature is not required for all federated applications as user authentication takes place in Okta, however some apps still require a password.
- Group Push Push existing Okta groups and their memberships to the application. Groups can then be managed in Okta and changes are reflected in the application.
- Group Linking Link Okta groups to existing groups in the application. Simplifies onboarding an app for Okta provisioning where the app already has groups configured.
- Schema Discovery Import the user attribute schema from the application and reflect it in the Okta app user profile. Allows Okta to use custom attributes you have configured in the application that were not included in the basic app schema.
- Attribute Mastering The application can be defined as the source of truth for a full user profile or as the source of truth for specific attributes on a user profile.
- Attribute Writeback When the application is used as a profile master it is possible to define specific attributes to be sourced from another location and written back to the app. For example the user profile may come from Active Directory with phone number sourced from another app and written back to Active Directory.