Using OKTA with AD

I have searched this group and saw some people discussing this topic, and I am running into a related issue.

Let me describe my configurations and issues.

AWX 19.3.0 + ldap bug fix and local changes
AWX Operator 0.13.0
GKE cluster

I have my cluster working with OKTA SAML and with AD. Login via OKTA will create an account (foo@foo.com) with the tag (SOCIAL)… Login via AD/LDAP will create an account (foo) with the tag (LDAP).

I want the sequence to be login via OKTA, which then make uses of LDAP for the rest of authorization, such as organization, groups, teams and so on.

OKTA does not send much information to me other than first, last name and email.
AD/LDAP sends much more, but the accounts are separate.

I’ve tried making ldap accept either (foo) or (foo@foo.com) for username login. This works via User Search: “(|(sAMAccountName=%(user)s)(mail=%(user)s))”.

With the above query string, if my users login via ldap first, then their account is created with the (LDAP) tag. From then on, they can login using ldap or OKTA.

If they login via OKTA, the tag (SOCIAL) is now added to their username, so they have both (SOCIAL) and (LDAP) tags.

However, if they login using OKTA first, then OKTA create an account that is not tied to ldap.

Now the user can never login as foo@foo.com using LDAP, but they must always login via OKTA MFA. This is is missing all the useful information that I can get from ldap.

Any idea how to make OKTA integrate better with ldap? E.g. associate OKTA SOCIAL account with ldap account?

The flow I want to use is:

OKTA MFA ===> authentication and use ldap for everything else (authorization).

Any idea?

The workaround will get me going for now, but I know some of my users will mess up and login via OKTA first.

Thanks.

Tin