Which must be true for password synchronization to work correctly in Desktop SSO?

For password synchronization to function correctly in a Desktop Single Sign-On (SSO) environment, it is essential that the Active Directory Password Sync Agent is installed on all domain controllers. This is because the Password Sync Agent is responsible for ensuring that password changes in Active Directory are communicated and synchronized with Okta. When this agent is installed on every domain controller, it enables a reliable and consistent synchronization process, ensuring that any password changes made by users are immediately reflected in the Okta system.

Having the Agent on all controllers guarantees that the updates are captured regardless of which domain controller the user interacts with during their authentication process. This widespread installation is crucial for maintaining the integrity of user authentication and enabling seamless access across applications that rely on Okta for Single Sign-On.

While the other options touch on relevant aspects of security and functionality, they do not accurately reflect the critical requirement for password synchronization within the context of Desktop SSO. For instance, although encryption is a standard practice to protect passwords, the requirement specifically hinges on the deployment of the synchronization agent across all domain controllers to facilitate the correct and timely synchronization of user credentials.