I have a use case where I have different AD/Ldap user stores that support both on premise and cloud. Certain applications need to use their credentials from their respective user stores. Something like the following:
AD (On Prem) -> Okta -> App 1
LDAP (Cloud) -> Okta -> App 2
Both should go through Okta but App 1 should only be linked to the AD when users are authenticated. I will use Delegated Authentication to make sure they use user store credentials. However, I am unsure how to make App 1 only available to AD and not the LDAP store.
You can assign all your users from AD to Okta group "AD Users" (if you don't have any other AD group, which has all AD users in it) and then inside your application sign on policy you can only allow this group to have access, the rest will be rejected