For Secure Web Applications (SWA) which leverage AD Passwords and in turn SWA Apps in Okta store the username and password, we can leverage Password Sync Agent to make sure that AD passwords changed outside of Okta are pushed to the SWA Apps within Okta, so that no manual updates are needed.
Requirements for Password Sync Agent (PSA)
- The org must be AD-mastered.
- The Active Directory Agent must be installed and configured on at least one domain controller in each domain in your forest.
- The Active Directory Password Sync Agent must be installed and configured on all domain controllers in each domain in your forest.
- Delegated Authentication must be enabled.
- Okta username format must be UPN
- If Inbound SAML is set up, PSA will not work
More requirements here
This will push AD Passwords to the provisioning-enabled SWA App during initial setup or whenever password changes. The Okta AD Password Sync Agent automatically pushes users' AD passwords from your Domain Controllers to the Okta service.
Passwords are synced from your Domain Controller to Okta whenever a user's password is changed. The agent must be installed on all Domain Controllers and Delegated Authentication must be enabled on your Okta organization.
Other useful Links