Question

just curious, does anyone here run multiple AD's connected to Okta?Im looking for best practise...


Badge

just curious, does anyone here run multiple AD's connected to Okta?
Im looking for best practises to sync pwds from Okta to AD, and back using the PSA with DelAuth.
The bigger issue is that this requires for multplie AD's just for pwd sync. As this also uses a Hub/spoke setup because of propriatary AD content, a proxy needs to be inbetween (dont ask.. there is no other choice).

Does anyone know a better solution than what ive drawn up here?
psa___delauth__1_.png?pub_secret=58b5106b73



🗨 Link to Slack thread

9 replies

Badge

the reasoning is, users use the HUB for regular stuff, but use the AD for secured governmental environments that is managed externally. So enduser need to be able to control their pwds in both their Okta environment as well as within the AD set up, to allow for pwd sync across the board.

Badge

might this help https://support.okta.com/help/s/article/Password-Synchronization-Overview

Badge

https://help.okta.com/en/prod/Content/Topics/Directory/password-sync-main2.htm

Userlevel 2
Badge +5

So in this diagram it looks like there are two oktas and two ADs.... my suggestion was going to be to have one of the ADs be the master since it doesn’t sound like anyone’s account ever originates in the second.

Userlevel 2
Badge +5

I’ve never tried to password sync with delegated auth because use Jumpcloud/LDAP as our master and it just, doesn’t work that way haha.

Badge

Well, the top Okta is the hub, the bottom Okta is the spoke that is used as a proxy into the 3rd party AD environment where the owner of the Hub has no direct access into. the problem is, you cant do AND DELAuth/PSA AND Okta password push, as these simply cant be turned on together. By having two AD's, you could technically do this, because installing to AD agents on 2 DC's will not allow for setting up 2 configurations, as the 2 DC would be part of the same Domain and or AD.

Badge

AD wont be the master as its a 3rd party set up but wants/needs to be fully integrated.

Badge

This will work if one of the 2 methods is used, but that comes with limitations; 1 DeAuth/PSA allows for full AD pwd management, but we cant sync the password from the spoke into the AD. 2. we can have the spoke sync the password, but within the AD if pwds require changes (apps etc) that wont be syncd bcack up to spoke and Hub

Userlevel 2
Badge +5

Yeah, I think it’s because logically if you’re doing DelAuth then you don’t need password sync (in Okta logic anyway). You might consider removing the DelAuth if you really want to write the passwords. We ultimately chose not to write the passwords with the knowledge that if they’re ever disconnected then we’ll need to reset a whole bunch of passwords.

Reply