How To Setup Okta And Active Directory Integration & Provisioning: Next Steps
We hope our walkthrough of Okta and Active Directory Integration & Provisioning has given you the 10,000 foot overview on what is possible with Okta to AD integration and youre able to see the unique value and potential business case within your company.
There is a broad range of integration options, processes and nitty gritty application settings and while the barrier to initial entry quite easy, a detailed setup can get complex quickly. As always, please feel free to reach out to myself or the team if you enjoyed this article or have any questions!
Copy The Certificate Chain And Key File Into Okta
You can open the files using whatever method you prefer, but in this example, Ill be using cat to view the file contents:
sudo cat /etc/letsencrypt/live/sso.hogwartsadmin.com/fullchain.pem
Partial screenshot of first certificate.
In the fullchain.pem file there should be two certificates enclosed with Begin Certificate and End Certificate. Starting with the first Begin Certificate line, copy the full block into the Certificate field on the Okta Upload Your TLS Certificate screen.
Copy the second certificate block and paste that into the Certificate Chain field in Okta. This is the third and final field on this screen.
Open the key file and follow the same process, copying from Begin Private Key to End Private Key and pasting the value in the Private Key field in your Okta tenant.
Upon completion, all fields on the screen should be populated. Press Next.
How Can I Change My Forgotten Password Question
To change your forgotten password question, login to on a computer or mobile device. Click on your username in the top menu, and select the Settings menu item.Go to the Forgotten Password question section, and select Edit. Choose a new question, enter your answer and click Save.
You May Like: How Much Does It Cost To Register A Domain Name
Setting Up Okta Using Bigtincan Pre
3. Fill out the form as shown below:
a. Application label: This can be anything you like e.g. Bigtincan
Audience Restriction: https://.push.bigtincan.com/saml/metadata
4. Assign Users:
5. Hit NEXT, then click Done.
6. Next, still in Okta, click on Sign On:
7. Scroll down to where you see Identity Provider metadata:
8. Click Identity Provider Metadata and it will download a file called metadata.
9. Open the file in a text editor on your desktop and save the file as: Okta_BTC_Metadata.xml.
10. Login to app.bigtincan.com
11. Click on the gear at the bottom right of the first page called Tenant Configuration
12. Click on Security:
13. Choose DNS and make sure for your DNS Alias is set to: .push.bigtincan.com
14. Then click on Authentication > SAML and scroll to Metadata file and click Select File:
15. Choose the file you saved earlier: Okta_BTC_Metadata.xml.
16. Then click SAVE at the top right corner:
17. To Test, open a web browser and enter the URL: .app.bigtincan.com
18. This should take you to our enterprise login page, click Sign-In and you should be taken to your SSO login page.
19. Login on the SSO login page and you should be taken to your BTC home tenant page. :
20. Single Sign On through SAML to Bigtincan is now setup.
Configuring Okta For A Custom Url Domain
Login to your Okta account, and switch to “Developer Console” if you are in the Classic UI mode, by clicking the top left dropdown list.
Go to menu Customization and then “Domain Name”, and click on “Edit.”
Enter the sub-domain that is used for your Okta custom domain. In the example, it is “login.mydomain.com.”
Okta will generate a TXT record to be inserted to your domain for verification. After inserting the TXT record, click on “Verify.” It will show as “Verified.”
Copy/Paste the certificate and key generated in the previous step. In this example,
- Certificate: mydomain.crt
- Certificate Chain: mydomain.ca
Make the custom domain as an alias for your Okta sign in host by creating a “CNAME” in your domain management.
With the custom URL domain setup complete, I can login to the Oka account by visiting the custom domain.
Note the “Not Secure” certificate warning is supposed to be cleared away in 48 hours after Okta propagates certificates over to the custom domain, but it could take longer in reality.
Now I can customize the sign in page to tailor it to my own brand, look and feel, etc. From the Okta menu, go to Customization and then “Signin Page.”
I am also able to use the custom domain as the issuer for the Okta default or custom authorization server so that any clients assigned to the authorization server will go through the custom domain instead of the Okta domain.
This ends the complete process of setting up an Okta custom domain.
Don’t Miss: What To Do After Buying A Domain
Configure Secure Custom Domains On Okta
Okta is one of the major players in the identity and access management field, their access management and identity provisioning / automation features are widely used in all types of organizations. Knowing how to administer Okta is a valuable skill for system admins, but also security engineers.
This post explains how to configure custom domains for your Okta tenant, it also outlines the possible options for obtaining a TLS certificate that’s required before you can configure a custom domain.
How To Register A Domain Name
Start by opening a domain name generator. Use this tool to check if your desired domain name is still available.
To find the right domain, consider branding and cost. Make sure that it is memorable and catchy and its price fits your budget.
Keep note that popular domains are often more expensive and might already be taken. Some generators provide options if your desired domain is unavailable. With Hostinger, users can choose a different TLD with the same name or an alternative.
Once you have found a valid domain name, use a trustworthy registrar to buy the domain. To find the list of legitimate domain name registrars, check the database of the Internet Corporation for Assigned Names and Numbers .
If you chose Hostinger as the registrar, select your desired domain and continue. On the checkout page, there are several elements to consider. First, choose the registration period for your domain. Then, select whether you want to add domain privacy protection.
We recommend giving an additional layer of protection against cyber attacks. By doing so, you are securing your personal information in the WHOIS records against unauthorized usage. This also helps prevent identity theft.
After paying for your new domain, you will have access to your account. There, continue the registration process by clicking on the Setup button next to Domain registration. You will need to enter specific information to finish the process, including your name, postal address, and phone number.
Recommended Reading: How To Find Email Domain And Server
Option 4 Sms Authentication
Choosing the SMS Authentication method will allow you to access myUCC without a smartphone.
After you enter your myUCC username and password, a text message with a code will be sent to your cellphone. You will then enter that code into your web browser.
SMS Authentication Setup Steps
- Log in to myUCC with your myUCC username and password
- Select “SMS Authentication” as your authentication method
- Enter your cellphone number and click “send code”
- Confirm your cellphone number’s validity by entering received code in web browser
- Celebrate! You’ve successfully set SMS Authentication
Gtlds: Generic Top Level Domains
A generic top-level domain is an extension that does not rely on a country code. There are no specific criteria to get a gTLD. However, some extensions are sponsored by designated agencies or organizations.
Some generic TLDs are restricted to specific types of registrants. For example, an academic institution can use .edu, and a governmental agency can use .gov. If your domain does not fall under particular categories or institutions, you will not be able to use the extension.
You May Like: What To Do After Buying A Domain Name From Godaddy
Determining Your Okta Subdomain And Okta Domain
You can retrieve your Okta Subdomain and Okta Domain by looking at the url in your web browser when youre logged into your Okta dashboard or Okta Admin dashboard.
From the Okta App Dashboard, your Subdomain will be the values before the first period. Your Domain will be the values after the first period and before “.com.”
From the Okta Admin dashboard, your Subdomain will be the values before “-admin.” Your Domain will be the values after “-admin.” and before “.com.”
Both examples above would result in the following values:
- Okta SubDomain: dev-7172737
The Okta Domain could be any of the following values:
How Can I Get A Free Website Domain
Web hosting providers like Hostinger offer free domain registration with some of their hosting plans. By using this method, you will be able to create a website faster than by purchasing the domain name separately.
Another way to get a free website domain is by using a website builder or CMS to create a websites subdomain. WordPress.com and Blogger are two examples of platforms that offer this service. With this method, users can own domains like test.wordpress.com instead of test.com.
However, free subdomains often come with minimal features and tools. Meanwhile, getting a free domain with a hosting service will offer the same freedom as purchasing one.
Recommended Reading: Shopify Transfer Domain
Allow End Users To Change Or Reset Their Ldap Passwords
You can allow your end users to change their LDAP passwords in Okta. When a user’s password expires, they are prompted to change them the next time they attempt to sign into Okta.
End users can change their passwords from their Home page by clicking the drop down menu by their name, then Settings > Account > Change Password.
This feature requires Okta LDAP Agent version 5.3.0 or later. This feature works with any LDAP distribution that correctly sets the pwdReset attribute to TRUE when a password is expired 5.3.0. Make sure to uninstall any pre-5.3.0 versions of the agent before you install version 5.3.0 or higher. For agent installation instructions, see LDAP integration.
When you create or import and activate new users, they are prompted for a secondary email address on their Welcome page. After end users enter an address, they receive a confirmation email asking them to verify the change.
How Can I Change My Secondary Email Address Information
To change your secondary email address information, login to https:/login.saintleo.edu on a computer or mobile device. Click on your username in the top menu, and select the Settings menu item.Go to the Personal Information section and select and select Edit. Enter the new secondary email address and click Save.
Recommended Reading: Cost To Buy A Domain Name
More Often Then Not Companies Begin A Modern Identity Journey By Expanding The Capability Of An Existing Identity Store This Could Be Federation Using Adfs Identity Governance Using Sailpoint Or Integration To A Third Party Directory
Active Directory is a highly extensible and capable solution for the majority of legacy business cases and is easily the most common identity store in the industry. With the advent of cloud, however, the on-premise directory is starting to show its age and thats why my favourite initial capability addition is to integrate Okta.
In this technical blog, Ill take you through the basics, and demonstrate some Universal Directory capability.
Active Directory Attribute Mappings To Okta Properties
The following table shows how Okta properties are mapped to corresponding Active Directory attributes.
Native Active Directory attribute This is the name of the attribute in AD.
Attribute assigned to the AD app by Okta This is the name Okta uses to call native AD attributes when AD is set up as an app within Okta. This value appears in the app user profile.
Native Okta attribute This is the native Okta attribute name.
Required by Okta Okta requires certain base attributes in an Okta user profile. Yes indicates the attribute is required by Okta. See About profile types.
Mapping Direction AD to Okta Indicates whether there is a corresponding Okta property for the AD attribute.
Mapping Direction Okta to AD Indicates whether there is a corresponding AD attribute for the Okta property.
The system treats previously imported users as deleted if any of the following conditions are met:
The userAccountControl attribute indicates that the user has been deactivated.
The user no longer exists in the directory.
If this occurs, the corresponding Okta user is deactivated. Users are also deactivated if the user goes out of OU selection during the next full import.
Recommended Reading: Transfer From Wix To Shopify
Do I Need A Domain For A Website
Technically, visitors can visit your website using its IP address. However, since it consists of a string of numbers, it is hard to remember. A domain helps make a website more accessible to internet users.
A domain is also essential for branding and search engine optimization . Even though users can still find your website without a domain name, it is a crucial part of a site.
Differences Between A Domain Name And A Url
While a domain name and a URL share some similarities, they refer to different things. A URL acts as a complete website address that can direct visitors to a specific page on a site. A domain name is just a part of it.
A URL consists of a protocol, a domain, and a path. The protocol shows whether a site has an SSL certificate. Keep note that URLs have a path only when they direct visitors to a specific page on a site.
Recommended Reading: How To Determine Who Owns A Domain
Verify Domain Name Ownership
You will need to copy the verification value provided by Okta and add it as a TXT type record for your domain.
In GoDaddy, you can do this by navigating to your domain and selecting Manage DNS. In GoDaddy you do not need to include the domain name, only _oktaverification.subdomain
To verify this has been configured correctly, you can use to confirm the DNS update.
Once verification can be searched and seen by Googles Dig, return to Okta and select verify. If successful youll be able to continue forward with setup.
Integrating Okta With Ad: An Introduction
Before we get started, its valuable to address the three most common questions most people will ask when I begin the conversation about using Okta with Active Directory:
1. Why choose a cloud directory?
The cloud directory conversation boils down to one point: Less infrastructure. Ill probably need a bit of infrastructure to run the initial phase of any identity uplift, but lets be honest Infrastructure is hard work, We dont want it and we certainly dont want to plan our transformation with the idea of working harder in mind.
2. Why a third party directory?
The second question isnt a dig at any one provider, but providers generally operate with their own services in mind. Sure, you can plug external solutions into a proprietary solution, but the integration to the vendor ecosystem products is always a little bit better. A third party directory really removes this problem, as they are focused on offering businesses well-managed, easy identity and access management .
3. Why Okta?
Okta is the worlds leading Identity as a Service solution for both enterprise and small and midsize businesses, with some incredible versatility owing to its cloud-based delivery model. For a deeper comparison on some of the Gartner market leaders in the modern identity space, head on over to our comparison of Ping & Okta.
Read Also: Cost To Purchase A Domain Name