Syncing Okta and Active Directory

Background

If you use Active Directory (AD) as your source of truth for identities and groups, but you sync AD users and group assignments to Okta so employees can access apps from their Okta dashboard, you may be wondering how the AppStore will keep Okta in sync with AD. See📄 What is the AppStore?

You can configure syncs between Okta & AD so that memberships stay identical, and this article walks you through the steps to enabling these syncs.

Syncing Okta with AD

Let’s say we want to configure Okta so that, when users are assigned to an app group for Pitch in Okta, they're also assigned to a corresponding AD group for Pitch.

1. Create a Group assignment

Go to the Okta page for the app you want to configure.

If you don’t already have a group assignment created, create one by choosing Assign > Assign to Groups. Select the group you would like to provision access for. If you don’t already have a group, create one called “pitch-basic-access”.

2. Push this Group to Active Directory

To keep this group in sync with AD, go to Directory > Directory Integrations > Active Directory > Push Groups in Okta.

Add your new group “pitch-basic-access” as a push group and select which Organizational Units (OUs) you would like to push these to in AD.

Here's an example of how this flow would work with Pitch:

Enabling Provisioning

Sometimes you want to do more than automate access to an app.

Maybe you have many types of licenses (e.g. Zoom Basic, Zoom Pro, Zoom Webinar) and you want to automate access requests for them.

1. Enable Auto-Provisioning in Okta

Okta supports automated provisioning as long as your service provider supports the SCIM protocol. To see whether your app supports auto-provisioning, look for a Provisioning tab in the Okta app page.

To set it up, follow the instructions in Okta, which may be different for each app. Here is what it looks like for Slack.

2. Enable Push Groups to the Service Provider

Push groups will send group memberships downstream to the service provider (e.g. Slack). Within the service provider, you can configure each group to do any number of things, including access to resources (e.g. slack workspaces or channels), license types (e.g. Zoom Pro licenses), or permission sets.

You can enable these push groups through Okta’s “Push Groups” tab.

3. Add Push Groups to Active Directory

If you add any additional groups (such as admin groups) to the push groups in your service provider, make sure they are also pushed to Active Directory using the steps above. ("Push this Group to Active Directory")

Syncing AD with Okta

You may have AD groups you want to use with Lumos. You can do this through Okta Group Rules.

1. Import AD Groups into Okta

You can follow this guide from Okta to make sure your AD groups are properly synced with Okta.

2. Create Okta native Groups and Group Rules

Since Lumos can only add or remove access to Okta native groups, you’ll need to map your imported AD groups to Okta native groups. You can do this with Okta Group Rules.

Visit the Directory > Groups page in Okta and create a new rule.

1. Under If, change the dropdown to “Group Membership” and select your AD access group.

2. Under Then, select your mapped Okta native group. We suggest giving the groups the same name between AD and Okta.

3. Save the new rule.

3. Use your Okta groups in Lumos

You can now use the Okta group in Lumos! More info about how to configure app and permission approval settings is available here:📄 AppStore Configuration Settings