Okta LDAP Interface

Okta LDAP Interface is a built-in Okta integration that enables you to expose your Okta directory over standard LDAP wire. The Okta LDAP Interface exposes the entire Okta directory.

The LDAP interface is not an isolated application

This means that you cannot manage the assignment of users and groups to the LDAP Interface the same way you would in a web application. Instead, you should be able to leverage LDAP filters to moderate access to applications that call the LDAP Interface (i.e., filtering user attributes and groups.)

1 - Enable LDAP Interface in Your Okta Account

Go to the Admin Console in your Okta account.
Select Directory, and then click Directory Integrations.
Select Add Directory and Add LDAP Interface. You will be presented with the details required to make a successful LDAP connection.

Create a service account

Create a service account to use as your LDAP bind user; any Okta admin with the "view users" permission can serve the role. Choose the Read-Only Admin to grant the least privilege.

2 - Configure Your IAM in Immuta

Navigate to the App Settings page in Immuta.
Click the Add IAM button.
Complete the Display Name field and select LDAP/Active Directory from the Identity Provider Type dropdown.
Adjust Default Permissions granted to users by selecting from the list in this dropdown menu, and then complete the required fields in the Credentials and Options sections. Note: Either User Attribute OR User Search Filter is required, not both. Completing one of these fields disables the other.
Opt to have Case-insensitive user names by clicking the checkbox.
Opt to Enable Debug Logging or Enable SSL by clicking the checkboxes.
In the Profile Schema section, map attributes in LDAP/Active Directory to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.
Opt to enable the following settings by selecting their checkboxes:
- Enable scheduled LDAP Sync support for LDAP/Active Directory
- Require manual approval before a user can use Immuta
- Enable pagination for LDAP Sync: Once enabled, confirm the sync schedule written in ; the default is every hour. Confirm the LDAP page size for pagination; the default is 1,000.
- Sync groups from LDAP/Active Directory to Immuta: Once enabled, map attributes in LDAP/Active Directory to automatically pull information about the groups into Immuta.
- Sync attributes from LDAP/Active Directory to Immuta: Once enabled, add attribute mappings in the attribute schema. The desired attribute prefix should be mapped to the relevant schema URN.
- External Groups and Attributes Endpoint
- Make Default IAM
- Migrate Users from another IAM
Click the Test Connection button.
Once the connection is successful, click the Test User Login button.
Click the Test LDAP Sync button if scheduled sync has been enabled.
Click Save and confirm your changes.

3 - Configure MFA in Okta

To enforce directory-wide MFA, create an authentication policy in Okta (if you do not yet have MFA policies in place).

Navigate to Security in the Okta Admin console.
Select Authentication, and then click Sign On.
Note: If you enforce MFA on the user that’s configured as your LDAP bind user, the integration won’t work. You will therefore need to make that user exempt in your MFA policies.

Last updated 6 months ago

Was this helpful?

1 - Enable LDAP Interface in Your Okta Account

Go to the Admin Console in your Okta account.

Select Directory, and then click Directory Integrations.

Select Add Directory and Add LDAP Interface. You will be presented with the details required to make a successful LDAP connection.

Create a service account

Create a service account to use as your LDAP bind user; any Okta admin with the "view users" permission can serve the role. Choose the Read-Only Admin to grant the least privilege.

2 - Configure Your IAM in Immuta

Navigate to the App Settings page in Immuta.

Click the Add IAM button.

Complete the Display Name field and select LDAP/Active Directory from the Identity Provider Type dropdown.

Adjust Default Permissions granted to users by selecting from the list in this dropdown menu, and then complete the required fields in the Credentials and Options sections. Note: Either User Attribute OR User Search Filter is required, not both. Completing one of these fields disables the other.

Opt to have Case-insensitive user names by clicking the checkbox.

Opt to Enable Debug Logging or Enable SSL by clicking the checkboxes.

In the Profile Schema section, map attributes in LDAP/Active Directory to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.

Opt to enable the following settings by selecting their checkboxes:

Enable scheduled LDAP Sync support for LDAP/Active Directory
Require manual approval before a user can use Immuta
Enable pagination for LDAP Sync: Once enabled, confirm the sync schedule written in ; the default is every hour. Confirm the LDAP page size for pagination; the default is 1,000.
Sync groups from LDAP/Active Directory to Immuta: Once enabled, map attributes in LDAP/Active Directory to automatically pull information about the groups into Immuta.
Sync attributes from LDAP/Active Directory to Immuta: Once enabled, add attribute mappings in the attribute schema. The desired attribute prefix should be mapped to the relevant schema URN.
External Groups and Attributes Endpoint
Make Default IAM
Migrate Users from another IAM

Click the Test Connection button.

Once the connection is successful, click the Test User Login button.

Click the Test LDAP Sync button if scheduled sync has been enabled.

Click Save and confirm your changes.

3 - Configure MFA in Okta

To enforce directory-wide MFA, create an authentication policy in Okta (if you do not yet have MFA policies in place).

Navigate to Security in the Okta Admin console.

Select Authentication, and then click Sign On.

Note: If you enforce MFA on the user that’s configured as your LDAP bind user, the integration won’t work. You will therefore need to make that user exempt in your MFA policies.