> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta_PasswordSync

> Password synchronization between user accounts via AD integration, Org2Org, or SCIM

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Edge Schema

* Source: [User](/resources/nodes/user), [Okta\_User](/opengraph/extensions/okta/nodes/okta_user)
* Destination: [Okta\_User](/opengraph/extensions/okta/nodes/okta_user), [User](/resources/nodes/user)
* Traversable: ✅

## General Information

The traversable Okta\_PasswordSync edge represents password synchronization between user accounts. This indicates that credentials are synchronized from a source user to a target user.

In **Active Directory** hybrid setups, this edge is created between User (AD) and [Okta\_User](/opengraph/extensions/okta/nodes/okta_user) when delegated authentication or password push is enabled. In **Org2Org** setups, this edge is created between [Okta\_User](/opengraph/extensions/okta/nodes/okta_user) nodes across organizations when password synchronization is configured.

<Warning>
  The Okta API does not indicate if the actual password or a randomly generated value is pushed to the other organization.
</Warning>

### Active Directory Hybrid

```mermaid theme={null}
graph LR
    subgraph ad["Active Directory"]
        adu1("User john\@contoso.com")
    end
    subgraph okta["Okta"]
        u1("Okta_User john\@contoso.com")
        adu1 -->|Okta_PasswordSync| u1
        adu1 .->|Okta_UserSync| u1
    end
```

### Org2Org

```mermaid theme={null}
graph LR
    subgraph source_org["Okta Org Contoso"]
        u1("Okta_User alice\@contoso.com")
        app1("Okta_Application Adatum Org2Org App")
    end
    subgraph target_org["Okta Org Adatum"]
        u2("Okta_User alice\@adatum.com")
        idp2("Okta_IdentityProvider Contoso Org2Org OIDC")
        app2("Okta_Application Contoso Sync API Service")
    end
    u1 -->|Okta_PasswordSync| u2
    u1 -->|Okta_OutboundSSO| u2
    u1 .->|Okta_UserSync| u2
    u1 .->|Okta_UserPush| app1
    u1 .->|Okta_AppAssignment| app1
    app1 -->|Okta_ReadPasswordUpdates| u1
    app1 -->|Okta_OutboundOrgSSO| idp2
    idp2 -->|Okta_IdentityProviderFor| u2
```