We're Hiring:

Simple, Comprehensive, Robust

Extend Active Directory & LDAP to the Cloud

More Active Directory Resources


Okta's Active Directory Integration



Okta Directory Integration - An Architecture Overview



Three Ways to Integrate Active Directory with Your SaaS Applications



Three Ways to Extend Active Directory to Your Cloud Apps

Watch Now

In the majority of enterprises, Microsoft’s Active Directory (AD) is the authoritative user directory that governs access to key business applications. SaaS applications were developed with their own native user directories and because they run outside of the firewall, are typically beyond the reach of Active Directory. As a result users have to remember multiple usernames and logins and IT has to create, manage and map user accounts in AD and across their SaaS applications. Clearly these applications must be integrated with Active Directory in order to accelerate their adoption.

Okta offers the industry’s most complete, robust and easy to use Active Directory single sign-on integration.

Active directory SSO set up and configuration

Active directory SSO set up and configuration

Simple Set Up and Configuration

Enabling Active Directory single sign-on integration is a simple, wizard driven process. With the click of a button from the Okta administrative console you can download the Okta Active Directory agent and install it on any Windows Server that has access to your Domain Controller. Once installed you simply enter your Okta URL and credentials and the agent securely establishes a connection with your Okta instance — no network or firewall configuration required.

The rest of the configuration takes place centrally from the Okta administration console and covers setting up the AD integration account, specifying the target OUs and determining the schedule for ongoing user imports.

Learn more - Okta's Active Directory Integration Architectural Overview Whitepaper

Active directory SSO synchronization

Active directory SSO synchronization

Intelligent User Synchronization

Once the agent is installed and the initial user import takes place Okta intelligently processes the results. Matching algorithms are applied to analyze the incoming AD users and determine if there is a match to existing Okta users or to accounts that you have imported from other SaaS systems. Future user imports can be scheduled or performed on demand.

Active directory SSO authentication

Active directory SSO authentication

Robust Delegated Authentication

Okta’s Active Directory single sign-on integration also allows you to delegate the authentication into Okta, to your on-premises AD Domain. Users can easily log into Okta using their Okta username and active directory password.

As this feature governs user access into Okta, the architecture also support multiple Okta AD agents running in your environment to provide higher throughput, redundancy and thus greater availability. If one of the agents stops running or loses network connectivity, the authentication requests are simply routed to the other agents.

Integrated Desktop Single Sign-On

Okta leverages Microsoft’s Integrated Windows Authentication to seamlessly authenticate users to Okta that are already authenticated with their Windows domain. You simply download and install Okta’s IWA web application, configure the relevant IP ranges, and the setup is complete.

Both Mac and PC users can simply log into their corporate network once and access any cloud application with a single click. No additional usernames or passwords required, just like on-premises apps.

Security Group Driven Provisioning

Through the use of Active Directory security groups, Okta can automatically provision applications to users. Just add a user to AD, place them in a security group, and when synchronized with Okta that user will be added, and an account in the application mapped to that security group will be automatically provisioned on their behalf.

One Click Deprovisioning

User deactivation is typically triggered from a corporate identity store such as Active Directory. With Okta’s Centralized Deprovisioning, deactivating a user in AD initiates a deprovisioning workflow immediately to ensure maximum effectiveness in preventing rogue access to Okta and other cloud applications.

Self Service Password Reset

Your users can also change their Active Directory password via Okta. When a user's AD password expires or is reset they will automatically be prompted to change it the next time they log in to Okta. Users can also proactively change their AD password directly from the account tab on their Okta homepage, and Okta keeps all of these credentials synchronized with AD.