Terms & Definitions You Need to Know When Working with Okta

A directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.

A lightweight program that runs as a service outside of Okta. Typically installed behind a firewall, it allows Okta to tunnel communication between an on-premises service and Okta's cloud service.

Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. Multiple AD agents can be installed to ensure robustness and high availability across geographic locations.

If the app you want to add does not exist in the Okta Integration Network (OIN), you can create one with the AIW. It allows you to create custom:

• SWA apps
• SAML 2.0 apps
• OIDC apps

All with immediate functionality.

An enhancement to the profile-mastering concept. ALM changes the profile-mastering model by allowing admins to override the source that masters the entire Okta user profile, delivering finer-grain control by specifying different profile masters for individual attributes.

Profile mastering only applies to Okta user profiles, not app user profiles.

The process that allows users to enter your environment by verifying their identity. Examples include logging into a Windows workstation with a username and password, or presenting a driver's license to prove who you are.

Determines what a user can do once inside the system — for example, whether they can install applications or change system settings. Authentication confirms identity; authorization grants permissions.

When a SAML-enabled app has a single go-live moment where all users migrate simultaneously — password authentication turns off at the same time SAML turns on. There is no phased rollout.

Big Bang adoption is faster than parallel, phased, or pilot conversion approaches but requires all users to be imported into Okta before launch. G Suite is a classic example. Iron Cove Solutions is an expert in G Suite Okta deployments.

A primary control mechanism that allows all entities through except those explicitly listed. The opposite of whitelisting.

A policy permitting employees to use personally owned devices (laptops, tablets, and smartphones) to access company information and applications from the workplace.

The buttons that appear on an end user's Okta homepage representing each assigned app. Clicking a chiclet instantly signs in and authenticates the user to that application.

Technology for managing all your company's relationships and interactions with customers and potential customers. Within Okta contexts, CRM apps are commonly integrated via SAML or OIDC.

An acronym for the four basic database operations: Create, Read, Update, and Delete. Relevant to Okta provisioning workflows.

The use of a hyperlink that links to a specific, indexed piece of web content rather than a website's home page. In Okta, deep links allow users to land directly on a target resource after SSO authentication.

In the context of Okta provisioning, a downstream app is one that is receiving data from Okta — such as an HR system or SaaS app being provisioned from an Okta-mastered profile.

People who have their own Okta homepage (My Applications) with chiclets to authenticate into assigned apps, but who do not have any administrative control over the Okta org.

The linking of attributes across multiple systems. A person can have many digital identities across different platforms; federated identity management reduces that complexity by allowing one identity to authenticate across multiple systems.

Example: using a Google account to log into a third-party SaaS tool rather than creating a new account.

Okta Lifecycle Management connects your HR system (such as Workday) and IT resources to automate onboarding and offboarding in a seamless, secure way.

Learn about Iron Cove's Okta Workday Consulting.

Cloud-based authentication operated by a third-party provider. Okta is a leading IDaaS platform, providing SSO, MFA, and lifecycle management without on-premises infrastructure.

Defines who you are, what you can do, and who you can interact with. Identity management covers authentication (who you are), authorization (what you can do), and privileges (what resources you can access).

The full lifecycle of an identity in an organization:

• Provisioning (manual or automated)
• Configuration for the environment
• Authentication — user enters the environment
• Authorization — access to apps and resources is defined
• Ongoing support: provisioning and deprovisioning of apps
• Self-service access requests
• Deprovisioning when the relationship ends

Even after deprovisioning, a user can be re-provisioned back into the system if needed.

A service that manages end-user accounts — analogous to user directories like LDAP and AD. An IdP can send SAML responses to Service Providers (SPs) to authenticate end-users. In most Okta deployments, Okta is the IdP.

Okta partners with various ISVs — typically producers of enterprise applications — to provide integrations on-premises, in the cloud, or in native mobile environments.

A Microsoft product that enables SSO via a web browser for Windows-domain environments. Used with Okta for desktop SSO scenarios where users are already authenticated to a Windows domain.

A network authentication protocol. A user enters credentials, and a ticket is issued — similar to a movie ticket. You must present that ticket to gain access to a system or resource.

Okta supports Kerberos as one of several SSO implementation methods.

A lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. Runs over TCP/IP. Okta's LDAP agent allows it to integrate with on-premises LDAP directories.

The authoritative source where a user profile is created and maintained. The app or directory that is "mastering" a user owns that profile — changes flow from the master to downstream apps.

An additional verification step beyond a username and password when signing in to an application. MFA significantly raises the bar for attackers by requiring something you know, something you have, or something you are.

A catalog of thousands of pre-integrated business and consumer apps. OIN integrations are continuously validated and always up to date, spanning categories from HR and productivity to security and finance.

An authentication layer built on top of OAuth 2.0, an authorization framework. OIDC standardizes how apps verify end-user identity and obtain basic profile information. It is widely used for modern web and mobile app integrations with Okta.

A designation in the Okta Applications catalog indicating that the app was tested and verified by Okta — either built by the OIN community or by Okta directly. Other designations include Community Created and Company Verified.

A uniquely generated password that can only be used once. OTPs are a common second factor in MFA configurations and are often delivered via authenticator apps (soft-token) or hardware devices.

In Okta, an "org" refers to the Okta tenant associated with a company. As an admin, you decide how Okta is displayed and integrated for your org — including branding, policies, and app assignments.

AD containers into which you can place users, groups, computers, and other OUs. An OU is the smallest scope to which you can assign Group Policy settings or delegate administrative authority — and a key structural element when syncing AD with Okta.

An app (usually a directory like AD or an HCM like Workday) that acts as the single source of truth for user profile attributes. A user can only be mastered by a single app at any one time. See also: Attribute Level Mastery (ALM) for finer control.

The ability to automatically create, update, and deactivate a user in an application based on changes in Okta — or from an upstream HR system. Provisioning reduces manual IT work and enforces consistent access policies.

A RADIUS-enabled device at the network perimeter that enforces access control for users attempting to access network resources. Common examples include:

• VPN servers
• Wireless access points
• Network access servers supporting dial-in modems

Okta's RADIUS agent bridges RADIUS-based apps with Okta authentication.

A method of software delivery where software is accessed online via a subscription rather than installed locally. Most apps in the Okta OIN are SaaS applications.

A database file in Windows that stores users' passwords. The SAM database is relevant to AD integrations, where Okta's AD Password Sync agent ensures passwords are synchronized.

An XML-based standard for exchanging authentication and authorization data between an IdP and a SP. SAML defines three roles: the end-user, the IdP, and the SP.

There are two common flows:

• SP-initiated: User requests access from the SP → SP requests identity assertion from Okta → Okta authenticates the user → SP grants access.
• IdP-initiated: User clicks a chiclet in Okta → Okta sends a SAML Response to the SP → SP establishes a session.

Iron Cove Solutions is an expert in SAML deployments including Dropbox.

An open standard that allows for the automation of user provisioning. SCIM enables Okta to push user create/update/deactivate events to supported apps automatically, reducing manual work and access-control drift.

A document that defines the work to be done in an Okta engagement — deliverables, timelines, and responsibilities. Iron Cove provides detailed SOWs for all deployment and managed service engagements.

The practice of structuring data so that every element is stored exactly once. In Okta, your profile master (AD, Workday, or Okta itself) is the SSOT for user attributes.

Physical cards that store a user's credentials. When inserted, the card authenticates the user without requiring them to enter a username and password manually. Supported as an SSO factor in Okta.

A software-based security token that generates a single-use PIN. Authenticator apps like Okta Verify or Google Authenticator are soft-tokens. Less expensive than hardware tokens but slightly less secure.

Within Okta, a Service Provider is any website or app that accepts SAML responses as a way of signing in users, and can redirect users to an IdP (Okta) to begin the authentication process.

A security protocol for establishing encrypted links between a web server and a browser. All Okta communications are encrypted via TLS (the modern successor to SSL).

As an end user: the ability to log in once and access multiple apps without re-entering credentials. As an admin, SSO can be implemented via:

• Kerberos
• Smart cards
• OTP tokens
• IWA
• SAML
• SWA

Iron Cove Solutions is an Okta SSO implementation expert.

An SSO system developed by Okta for apps that don't support SAML or federated sign-on. Okta securely stores and injects the user's credentials when they click the app chiclet — the user never has to manually enter credentials again after the first sign-in.

An app that can be used to create custom integrations not found in the OIN. Used alongside the AIW when a specific app needs to be built from scratch.

Extends a private network across a public network, allowing users to send and receive data as if their devices were directly connected to the private network. Okta integrates with VPN appliances via the RADIUS agent for policy-based access control.

The practice of defining a list of trusted entities that are granted access, approval, or recognition. Only entities on the list are permitted — the inverse of blocklisting.

A standard that defines a declarative, fine-grained, attribute-based access control policy language, architecture, and processing model. Used in advanced authorization scenarios where role-based access control alone is insufficient.