What are the key terms and acronyms Okta uses?
- A lightweight program that runs as a service outside of Okta.
- It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta’s cloud service.
- Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. You can change these settings any time as you refine your Okta configuration.
- If the app that you want to add does not already exist in the OIN, create it with the AIW.
The AIW allows you to create custom:
- SWA apps
- SAML 2.0 apps
- OIDC apps
- With immediate functionality
- Is an enhancement to the profile-mastering concept.
- ALM changes the profile-mastering model by allowing admins to override the source that masters the entire Okta user profile.
- When users are mastered by attribute, we call this attribute-level mastery.
- ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes.
- Profile mastering only applies to Okta user profiles, not app user profiles.
- Will allow users to enter our environment
- Logging into a Windows workstation with a username and password.
- Your driver’s license identifies who you are based on several pieces of information.
- For a user to have access to our system they must first authenticate in.
- Determines what you can do in the system
- When you log into your workstation can you install apps or change your desktop wallpaper?
- You show your Driver’s license to the police officer to show that you are authorized to drive the vehicle
- But just because you have a driver’s license doesn’t mean you can drive a tank or a bus
- When an app is SAML enabled and turning on SAML turns off password authentication.
- This is an implementation scenario that cannot be a phased implementation, it is a moment in time where the application has a go-live.
- Big Bang adoption is a software migration method that involves getting rid of the existing system and transferring all users to the new system simultaneously.
Implementation is faster with big bang adoption than other methods:
- Parallel adoption
- Phased adoption
- Pilot Conversions
- Blocklist is a primary control mechanism that allows through all elements except those explicitly mentioned
- The “buttons” that appear on an end user’s Homepage and represent each app for access through Okta
- Clicking the chiclet instantly signs in and authenticates users to the app
- The use of a hyperlink that links to a specific, generally searchable or indexed, a piece of web content on a website, rather than the websites’ home page
- In the context of Okta provisioning, a downstream app is one that is receiving data from Okta.
- The people who have their own Okta home page (My Applications), with chiclets to authenticate into all apps.
- But do not have any administrative control.
- In the IT world a person can have many identities across different systems it can be tough to deal with, and that’s where the concept of “federated identities” comes into play.
- Federated Identity is the linking of attributes across multiple systems.
- Example: using Facebook to log into Dig or Skype.
- We can reduce our electronic identities, and it reduces the need for multiple accounts across multiple platforms.
- Is cloud-based authentication operated by a third-party provider.
- Defines who you are, what you can do and who you can interact with.
- This means your identity refers to your authentication, authorization, and privileges.
IDM Management Lifecycle
- Start of the IdM Lifecycle via manual or automated provisioning
- Then the user is configured for our environment
- The user can enter our environment which is called authentication.
- Then we can determine what the user has access to which is called authorization.
- We then need to maintain that user with continued support with the provisioning and deprovisioning of apps and systems.
- We can provide access to apps through self-service.
- When the relationship with the user ends, the user is deprovisioned.
- The rights are removed from the systems and apps they had rights to.
- Even though a user has been deprovisioned it is possible to provision them back into the system.
- It is a service that manages end-user accounts analogous to user directories such as LDAP and AD.
- And can send SAML responses to SPs to authenticate end users (within this scenario, the IDP is Okta).
Okta partners with various ISVs (usually producing enterprise applications) to integrate (with Okta):
- On premises
- In the cloud
- Or Native-to-mobile devices
- A Microsoft product that allows SSO via a Web Browser.
- A user enters credentials, and a ticket is issued.
- Ticket similar to a ticket you receive at the movies.
- You must provide that ticket to gain access to that theater.
- And with Kerberos you must provide that ticket to gain access to that system.
- Where the profile is created and maintained.
- The authoritative source.
- The OIN is comprised of thousands of public, pre-integrated business and consumer apps.
- As an on-demand-service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability.
- Is an authentication layer on top of OAuth 2.0, an authorization framework.
- The standard is controlled by the OpenID Foundation.
- Each app found in the Okta Applications page has either an Okta Verified, Community Created or Company Verified designation. Okta Verified indicates that the app was created either from the OAN or by Okta community users, then tested and verified by Okta.
One Time Pass Token (OTP Token)
- A uniquely generated password that can only be used once.
- An abbreviation of organization.
- But can also be thought of as a company.
- A company that uses Okta as their SSO portal is generally referred to as an org.
- As an admin, you decide how Okta should be displayed and/or integrated with your org.
- Organizational units are AD containers into which you can place users, groups, computers, and other organizational units.
- It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority.
- A profile master is an app (usually a directory service such as AD, or human capital management system such as Workday) that acts as a SOT for user profile attributes.
- A user can only be mastered by a single app or directory at any one time.
- There can only be one profile master that masters a user’s entire profile.
- The ability to automatically create, update and deactivate a user in an application
- Is a RADIUS-enabled device at the network perimeter that enforces access control for users attempting to access network resources.
- VPN Server
- Wireless access point
- Network access server supporting dial-in modems
- Dial-in modem
- The Security Accounts Manager is a database file in Windows that stores users' passwords.
- SAML is an XML-based standard for exchanging authentication and authorization data between an IdP and a SP.
The SAML standard addresses issues unique to the SSO solution and defines 3 roles:
- The end user
- A way to securely communicate credentials.
There are 2 parties in a SAML agreement.
- The IDP
- And the SP
Here’s how SAML works through Okta
- The end user requests (principally through a browser) a service from a SP.
- The SP request obtains an identity assertion from the IdP (in this case, Okta).
- On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user.
- With Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAML Response to the configured SP.
- A session is established with the SP, and the end user is authenticated.
- An open standard that allows for the automation of user provisioning.
- A card with the user's credentials.
- A card is inserted, don’t have to enter username/password, and the card has the user’s credentials.
- A software-based security token that generates a single-use PIN.
- Hardware-based tokens are more secure but more expensive than soft-tokens.
- A Service Provider is a company, usually providing organizations with communications, storage, processing, and a host of other services
- Within Okta, it is any website that accepts SAML responses as a way of signing in users.
- And has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process.
- As an end user the ability to log in once and have access to other apps without having to enter credentials.
From Admin standpoint multiple ways to implement SSO:
- One time pass token OTP
- Is an SSO system developed by Okta to provide single sign-on for apps that don’t support proprietary federated sign-on methods or SAML.
- Users can enter their credentials for these apps on their homepage.
- These credentials are stored such that users can access their apps without entering their credentials each time.
- When users first sign-in to an SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully.
- Is an app that can be used to create custom apps that are not in the OIN.
- The practice of identifying entities that are provided a particular privilege, service, mobility, access or recognition. Entities on the list will be accepted, approved and/or recognized.
- The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.