Okta Administration Up and Running E-Book

Okta Administration Up and Running

Drive operational excellence with IAM solutions for on-premises and cloud apps

HenkJan de Vries

Lovisa Stenbäcken Stjernlöf

BIRMINGHAM—MUMBAI

Okta Administration Up and Running

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Khushboo Samkaria

Book Project Manager: Neil D’Mello

Senior Editors: Sujata Tripathi and Runcil Rebello

Technical Editor: Yash Bhanushali

Copy Editor: Safis Editing

Proofreader: Safis Editing

Indexer: Hemangini Bari

Production Designer: Shankar Kalbhor

DevRel Marketing Coordinators: Marylou De Mello and Shruthi Shetty

First published: December, 2020

Second edition: December, 2023

Production reference: 1231123

Published by

Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK

ISBN 978-1-83763-745-4

www.packtpub.com

I dedicate this book to my wife and family, whose encouragement kept me going during this endeavor. To my mentors, who have been the compass in my lifelong journey of growth. A heartfelt thanks to Lovisa, whose collaboration and friendship were indispensable in the creation of this work (again). Additionally, I extend my gratitude to the diverse array of individuals I’ve encountered during my time associated with Okta—each interaction has contributed a unique thread to the fabric of my professional life. To all of you, your influence has been instrumental, and for that, I am profoundly thankful.

HenkJan de Vries

Contributors

About the authors

HenkJan de Vries is a seasoned Okta specialist with over a remarkable decade of immersion in the Okta universe. As a dedicated Okta partner engineer, he’s cultivated an impressive track record, offering unwavering support to a multitude of Okta clients. HenkJan’s profound expertise extends beyond the immediate, encompassing a keen understanding of long-term strategic requirements and the nitty-gritty of day-to-day organizational management.

His credentials include certification as a consultant, and he proudly holds a coveted spot within Okta’s prestigious SME group. But HenkJan’s passion transcends the professional sphere; he’s a committed contributor to Okta’s user community, where his invaluable assistance earned him the esteemed titles of “Okta Advocate” in 2019 and “Okta Community Leader” in 2020.

Currently, HenkJan is making waves in the identity management landscape as a consultant with Atlas Identity. While being part of the team, the firm has achieved significant recognition, being honored as the “Delivery Partner of the Year EMEA 2023.” This accolade is a testament to HenkJan’s knowledge and his dedication to solid delivery and customer success, further establishing his and Atlas Identity’s reputation for excellence in the field.

Lovisa Stenbäcken Stjernlöf has helped customers identify identity-related pains and implemented Okta for various organizations for over 5 years. Starting out as a project manager, gaining certifications within Google and Salesforce, it was a natural step to start helping customers with their complete cloud setup, including Identity and Okta. She has been leading various teams selling and implementing Okta for the Swedish market for the last few years.

About the reviewer

With over 20 years of IT experience, Alex Voermans is an expert in the field of Identity and Access Management (IAM). He focuses on (Workforce) identity, automation and HR as a source, helping his current employer to manage their digital identities and access rights. He also has a keen interest in cybersecurity, where he collects and reports information to raise awareness and train end users. He is proficient in designing and delivering internal training courses for both IT professionals and end users, covering various aspects of IAM and cybersecurity best practices.

I appreciate HenkJan and Lovisa for giving me the opportunity to review their new book on Okta and provide them with feedback. I recommend this book to anyone who is interested in IAM and who is using or planning to use Okta. Each chapter explains with examples how to get the most out of your Okta environment. I also learned new things by reading this book. I hope you enjoy reading this book as much as I did. #learningisfun

Table of Contents

Preface

Part 1: Getting Started with Okta

1

IAM and Okta

Exploring the origins of Okta

Understanding IAM and Okta

Exploring Okta

Zero trust

Discovering the basic features of Okta

Universal Directory

Single sign-on

Multifactor authentication and adaptive multifactor authentication

Lifecycle management

Advanced features of Okta

Okta Advanced Server Access

Workflows

Okta Access Gateway

API Access Gateway

Okta and NIST

Summary

2

Working with Universal Directory

Directory integrations

Microsoft AD integration

LDAP integration

Everything about users

Using groups

Types of groups in Okta

Using AD groups

Creating users in AD through Okta groups

Pushing groups

Deleting groups

Assigning applications to groups

Some best practices for group usage

Overview of devices

Registering a device

Summary

3

Using Single Sign-On for a Great End User Experience

Using single sign-on with Okta

Understanding global session policies

Using the Okta dashboard

Setting up Agentless Desktop single sign-on

Simplifying administration with the Okta Integration Network

Setting up a basic integration with Secure Web Authentication

SWA with the App Integration Wizard

Using SAML and OpenID Connect applications

Managing inbound SSO

IdP discovery

Summary

4

Increasing Security with Adaptive Multifactor Authentication

Factor types

Knowledge factors

Possession factors

Biometric factors

Authenticators and enrollment

Knowledge factors

Possession factors

Biometric factors

MFA enrollment

Contextual access management

Device security signals

Integrating with MDM

Setting up network zones

Behavior detection

Enrolling end users in MFA

Resetting authenticators

Securing a VPN with MFA

Summary

5

Automating Using Lifecycle Management

Automating user provisioning

Provisioning users

Sourcing users

Provisioning rich profiles

Keeping track of attributes with attribute mapping

Attribute magic with Okta Expression Language

Setting up group rules

Setting up self-service options

Summary

6

Customizing Your Okta GUI

Understanding the basics of end user functionality

Customizations and the branding of your Okta

The Okta plugin settings

Summary

Part 2: Extending Okta

7

Okta Workflows

What Okta Workflows is

Using workflow capabilities

Using Okta Workflows

Your first Workflows contact

Okta Workflows flows

Platform features

App integrations

The Workflows Connector builder

Templates

Exporting workflows

Delegated admin workflows

Summary

8

API Access Management

API terminology

Managing Okta with APIs

Using Okta’s APIs

Rate limits

Fundamentals of API Access Management

Level 1 – no security

Level 2 – using API keys

Level 3 – OAuth 2.0

Level 4 – API gateways

Level 5 – API gateways and API Access Management

API access administration

Authorization server

Key rotation

Summary

9

Managing Access with Advanced Server Access

ASA – a high-level overview

How ASA works

Setting up ASA

Configuring ASA

Enrolling a server

ASA client

Setting up gateways

Session capturing

AD-joined advanced capabilities

Managing your ASA environment

Managing projects

Automation

Summary

Index

Other Books You May Enjoy

Preface

Welcome to the first revision of Okta Administration Up and Running. If you’ve ever wondered how to manage user identities and secure access to your organization’s resources effortlessly, you’re in the right place. In this book, we’ll guide you through the exciting world of Okta administration, breaking down complex concepts into plain, everyday language. You’ll learn the ins and outs of Okta’s features, from user provisioning and single sign-on to multifactor authentication and group management. So, whether you’re a tech enthusiast or a seasoned IT pro, get ready to empower your organization’s identity and access management with this clear, engaging, and informative journey through Okta’s capabilities. Let’s get started!

Who this book is for

Okta Administration Up and Running – Second Edition is tailored for individuals and professionals who are eager to enhance their identity and access management skills using Okta. This book is your indispensable companion if you are the following:

Throughout these pages, you’ll find practical examples, step-by-step instructions, and real-world scenarios that will empower you to harness the full potential of Okta’s capabilities. So, dive in, and let’s demystify the world of Okta administration together. Your journey to becoming an Okta expert starts here!

What this book covers

Chapter 1, IAM and Okta, dives into the foundational principles of IAM, where you’ll uncover why it’s the bedrock of modern IT and security, ensuring the safeguarding of digital assets and seamless user access. But that’s just the beginning. We’ll unravel Okta’s intriguing origin story, tracing its evolution into a powerhouse of IAM solutions. What truly sets this chapter apart is the compelling exploration of Okta’s array of base and advanced products. Discover how these tools can revolutionize your organization’s identity management, authentication, and access control.

Chapter 2, Working with Universal Directory, delves into the core of Okta’s directory functionality. This chapter is your gateway to connecting your infrastructure seamlessly through directory integrations, efficiently managing user identities, and ensuring secure access. You’ll master the art of importing and creating users, optimize productivity with groups, bolster security by managing devices, and even extend user profiles to tailor them to your unique needs. Get ready to unlock the secrets of Okta’s Universal Directory and elevate your identity management game.

Chapter 3, Using Single Sign-On for a Great End User Experience, is your gateway to unleashing the full potential of Okta’s Single Sign-On (SSO) functionality. Get ready to discover how to use SSO seamlessly with Okta, utilize the convenience of FastPass for easy sign-on, and navigate the Okta dashboard with finesse. We’ll also delve into the agentless Desktop SSO setup, explore the Okta Integration Network, harness the power of Secure Web Authentication and Security Assertion Markup Language (SAML)/OpenID Connect applications, and master the art of managing inbound SSO and identity provider (IdP) discovery. Your journey to a superior end user experience begins here!

Chapter 4, Increasing Security with Adaptive Multifactor Authentication, prepares you to uncover the depths of Okta’s Multifactor Authentication (MFA) capabilities. In this chapter, we’ll explore diverse factor types, authenticators, and enrollment methods. Discover the power of contextual access management and the art of enrolling end users seamlessly in MFA. Dive into the world of heightened security and user authentication as we delve deep into the heart of Okta’s MFA functionality. Your journey to fortified security begins here – get ready to unlock the secrets of adaptive MFA!

Chapter 5, Automating Using Lifecycle Management, dives deep into the world of user provisioning automation, enabling you to streamline and enhance your identity management processes. Discover how to effortlessly automate user provisioning, create rich user profiles, and establish group rules for efficient management. We’ll also explore the setup of self-service options, putting control in the hands of your users. Join us on this journey to harness the power of automation and make identity management a breeze.

Chapter 6, Customizing Your Okta GUI, delves into the realm of personalized user experiences. This chapter explores the fundamental aspects of end-user functionality and customization. Gain insights into configuring the user dashboard and fine-tuning Okta plugin settings. We’ll also navigate the intricacies of custom domain setup and the creation of bespoke pages, enabling you to mold Okta to suit your unique requirements. This chapter offers a gateway to a world of tailored solutions and heightened user engagement through Okta’s customizable features. Let’s dive in and uncover the limitless possibilities of customization.

Chapter 7, Okta Workflows, steps into the world of Okta Workflows within Okta administration, where innovation meets efficiency. This chapter uncovers the power of Okta Workflows – a transformative tool designed to simplify complex processes. Explore its versatility in integrating applications and functions seamlessly. Learn how to safeguard your workflows with export backups, and delve into the realm of delegated admin workflows. In this chapter, we’ll unveil the capabilities of Okta Workflows, opening doors to enhanced automation and process optimization. Get ready to unlock the potential of this dynamic feature, revolutionizing the way you manage identity and access.

Chapter 8, API Access Management, demystifies API terminology and explores the ins and outs of managing Okta with APIs. Get ready to dive into the fundamentals of API access management, empowering you to safeguard your digital assets. Plus, we’ll delve into the nitty-gritty of API administration, ensuring you have the tools and knowledge to master this vital aspect of identity and access management. Let’s unravel the secrets of effective API access control together!

Chapter 9, Managing Access with Advanced Server Access, provides you with a comprehensive understanding of Advanced Server Access (ASA). We’ll explore the setup of ASA, empowering you to configure it effectively. Dive into the world of managing your ASA environment, and discover how automation can elevate your access management game. This chapter is your key to mastering advanced access control with Okta, opening doors to heightened security and streamlined operations.

To get the most out of this book

To maximize the benefits of this book on Okta administration, it’s advantageous to have a foundational understanding of identity and access management (IAM) principles, as well as basic familiarity with Okta’s core features and functionality. We assume readers are eager to deepen their expertise in IAM and Okta, aiming to leverage its advanced capabilities effectively. To get the most out of this resource, actively engage with the chapters, practice hands-on exercises, and explore the practical use cases provided.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “nput your host and port in host:port format.”

A block of code is set as follows:

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “An organization in this stage typically has an Active Directory (AD) or some other on-premises structures as a user directory.”

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Vector Search for Practitioners with Elastic, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781837637454

Part 1:Getting Started with Okta

In the first six chapters of Okta Administration, we embark on a comprehensive journey through the realm of identity and access management (IAM), using Okta’s powerful tools. Starting with IAM and Okta, we explore the core principles of IAM and Okta’s origins. We then dive into the Working with Universal Directory, Using Single Sign-On for a Great End User Experience, Increasing Security with Adaptive Multifactor Authentication, Automating Using Lifecycle Management, and Customizing Your Okta GUI chapters. These chapters cover key aspects of identity management, security, automation, and customization, laying the foundation for a robust Okta administration skillset.

This part has the following chapters:

1

IAM and Okta

Okta is a premium, platform-agnostic set of services that helps organizations with efficient and modern identity and access management (IAM). One of Okta’s biggest strengths is its ability to work with a variety of platforms and integrate its features and services into these platforms’ own solutions to provide seamless IAM. This strength has made Okta the leader in the IAM field, as it’s valuable in helping us manage our organization’s systems to ensure easy and efficient user account management.

In this chapter, we’ll learn about Okta and its features. This information will serve as the foundation with which to approach this book and pick up the skills we require to integrate Okta with our systems and learn how to use it in the best way possible. In this chapter, we’ll explore the following topics:

Exploring the origins of Okta

Okta was founded by Todd McKinnon (CEO) and Frederic Kerrest (COO), two former Salesforce employees. They saw that the cloud wasn’t just a product for the big leagues and predicted it would be necessary for anyone who wanted to grow their business. They started the business in the middle of the 2008 recession, with Andreessen Horowitz investing as one of the first capital injections for Okta in 2010. In 2017, Okta went public with its IPO and valuation of $1.2 billion.

The name Okta is derived from the unit of measurement for clouds covering the sky at any given moment. On the scale, 0 okta is a clear blue sky and 8 oktas means complete overcast. The wordplay in Okta (in Greek, octa is 8) and the fact that Okta wanted to cover all cloud access by becoming the identity standard, thus creating a complete overcast (8 oktas), is well thought out. As of 2022, Okta has grown its clouds by specifically creating two offerings: the Workforce Identity Cloud (WIC) and the Customer Identity Cloud (CIC). This book will only cover WIC.

Since Okta arrived in the IAM space, it has steadily grown to become the leading vector and has been in the leading segments of market investigation firms (Gartner, Forrester, etc.), bypassing giants such as Oracle, IBM, and Microsoft. Their take on being completely vendor-neutral has allowed them to gain customers, big and small, across all verticals. This particular focus makes sure that Okta can serve all applications, without being tied to or biased toward any relationship or partnership. It gives the customer complete freedom in choice, setup, and tools.

In recent years, Okta has been socially active, taking the 1% pledge; committing to giving back time, product, and equity to the community and supporting non-profit efforts in different ways. As Okta understands what it is like to start up and grow, during its annual conference in 2019, it announced an investment fund of 50 million dollars under the name Okta Ventures to help other start-ups in the identity and security sector ramp up and grow. Currently, over two dozen start-ups have benefitted from this venture seeding.

Understanding IAM and Okta

IAM is usually utilized to do the following:

Beyond these actions, IAM can do much more, such as the following:

The time of perimeters is behind us. Organizations can no longer just trust their networks and secure access mainly through their infrastructure. Nowadays, access is needed by every device and every application, at any given moment, with any reason or intent. This shows that security needs are dynamic and their requirements are continuously evolving.

Outdated directories are being replaced by different tools, and they all have to be maintained, secured, and fortified outside of the comfort of the company’s network. This is bringing a lot of extra consolidation and rethinking of the concept of using the cloud and also how to manage it all for the workforce.

This brings us to the start of a new era where new IAM solutions were born in the cloud and existing solutions started a shift toward the cloud. This didn’t mean every organization all of sudden dropped its network and pushed everything and everyone to the cloud. Vendors had to become hybrid, delivering tools to connect the ground to the cloud with integrations. By consolidating the two, the shift slowly started to pick up pace and organizations began to understand the possibilities of using tools such as Okta as their IAM solution of choice.

Exploring Okta

A complete user and system management setup isn’t just in one product, nor is it dependent upon a single vendor. A complete view of all sections within and outside of the organization is best done by utilizing different tools.

This combination and their deep integrations make it possible to create a fine-knit layer of security and insights on top of everything, flexible enough to allow exceptions, but strong enough to fight off anything considered harmful to the user, content, data, systems, or organization.

An IAM system can be seen as a collection of different elements and tools to deliver this. It can be considered that the following functionalities are part of, but not limited to, an organization’s toolkit:

Okta is capable of delivering all of these functionalities, to some degree, for organizations large and small across any business vertical and within cost-effective boundaries.

By staying true to their form, they are capable of excelling in being an agnostic system. By allowing any application vendor to create integrations with Okta and delivering applications broadly on request from customers, Okta has been able to grow its reach to over 7,000 pre-built and maintained integrations in the public catalog Okta Integration Network (OIN). While creating these integrations, Okta also invested heavily in delivering more and more functionality to ground-to-cloud visibility and launched their Okta Access Gateway product. On top of these out-of-the-box integrations, Okta has added their no/low-code Workflows engine, allowing any identity-driven event to use Okta’s abilities internally and even on applications not in their integrations library.

Looking further than users, the world consists of more and more IoT applications, and the need for machine-to-machine management is becoming a much larger element within organizations’ business models. By offering API access management and Advanced Server Access (ASA), Okta creates more functionality to fill the needs of every aspect of the IAM situation within any organization.

Let’s now take a look at the things that set Okta apart in the IAM space.

Zero trust

As organizations shift away from on-premises applications by making sure the workforce can decide how and when they access the data they need, Okta makes it possible to incorporate forward-thinking concepts, such as zero trust. Zero trust is the framework where no physical or non-physical entities within or outside of the corporate perimeter are trusted at any given moment in time. This allows for insight and control to manage users, identities, infrastructure, and devices accessing business resources and data. Threat detection and remediation are a part of the cycle that makes sure that this concept is enforced.

The zero trust principle of least-privileged access can be incorporated into the organization’s security policies. It allows users and machines to only get enough access for that given moment and that task. This can be hard to manage on a case-by-case scenario (for example, allowing and denying access to individual corporate content and files), but by understanding the concept, it can be used as a rule of thumb to only give out need-to-access privileges. A couple of examples are as follows:

Acquiring an IAM tool is not enough by default to make sure your organization lives up to a zero trust approach, but it is a starting point for many organizations. When it comes to IAM and zero trust, Okta divides the journey into four stages of maturity.

Stage zero – fragmented identity

An organization in this stage typically has an Active Directory (AD) or some other on-premises structures as a user directory. Cloud applications might be used, but there is no integration into the directory. Passwords are not consolidated, but rather separate logins are everywhere. Security is done on a case-by-case basis, or rather, app by app. In stage zero, most services and devices will reside within the corporate infrastructure, as seen in Figure 1.1:

Figure 1.1 – All applications and access are managed with networks and directories

Once users break free from or break through the corporate firewall, the need for more control over who can access what and when, where, and how allows the organization to move to the next stage.

Usually, more traditional organizations fall into this category. Their history is based more upon older infrastructure, and the move toward the cloud is slowly happening. Companies with on-premises servers, fierce reliance on firewalls, and VPN access are often found in this stage.

Stage one – unified IAM

Once you open the gates, there is no coming back to a perimeter-based security practice. It’s important to make sure certain access is managed for employees, partners, and contractors. Delivering unified SSO relieves the user of the responsibility to create, maintain, and manage strong passwords per application, portal, and infrastructure. By adding multifactor authentication (MFA), the organization is capable of creating more policies that incorporate different activities to confirm the user’s identity while accessing corporate content.

Examples of this are as follows:

In stage one, you will see a shift. Users will access corporate data outside of the network. Slowly, SaaS will make its way into the organization. Even so, old structures will still stay in place to maintain legacy and non-cloud access as follows:

Figure 1.2 – An outline of what stage one might look like

You will find organizations of every trade in this stage. Moving to the cloud is part of their strategy. They will most likely start to embrace Software-as-a-Service (SaaS) options over their own capabilities. This is where perimeters start to fade and the call for more flexible security and management is needed.

Stage two – contextual access

Context-based access plays a large part when you want to expand your zero trust initiative. Understanding your users, their devices, location, systems, and even time and date can be of importance to accelerate your dynamic zero trust parameters. By incorporating all these components, you now allow your security team to widen their view of a user’s posture and activities and set fine-grained policies and rules that are applicable to that user.

Having such deep control and the capability to interact on such a low level with users fits perfectly with the concept of zero trust. Of course, automation is the magic sauce. Using all these different elements in your security risk assessment is the first step, setting policies on top of that is step two, but automating it all and having the systems grow stronger is what adds even more value. This is step three.

Within this stage, usually, you will observe that corporate APIs and systems have, or leverage, APIs that need to be protected as well. Allowing API management ensures that even your systems are only allowed access based on the least-privilege framework.

Figure 1.3 – An outline of what stage two might look like

Organizations might have a complete roadmap for themselves set out with regard to their zero trust initiative. Cloud-driven, cloud-native, and cloud-born organizations will quickly adopt it, and there are many of them in this stage. Traditional organizations that have made it to this stage have come a long way; they truly were able to reinvent themselves.

Stage three – adaptive workforce

When system automation increases, risk-based analysis can be added. This is when we are capable of creating a fully flexible and adaptive workforce. The incorporation of more security systems becomes a large addition to the whole security practice. Usually, external values from third-party applications such as mobile device management (MDM), cloud access security broker (CASB), security information and event management (SIEM), and other connected systems will deliver even more user and machine context that can be used within policies.

Unknown vectors are detected, and policies start to act upon these discoveries. Adding alternative access controls when it’s needed or required allows for more security. While security might go up, the users’ access can now be more controlled with the help of seamless access methods. Passwordless and dynamic authentication policies become a more common situation in which users are prompted to show who they are based on the risk they present to the systems that are controlling the access:

Figure 1.4 – An outline of what stage three might look like

Organizations that fall into this category will be front-runners in this initiative. They not only understand it, but they have also implemented it and made it their mantra. High-tech organizations with global workforces and dynamic management will fit this picture perfectly.

So, how would you start your own organization’s journey towards zero trust?

Now that we’ve learned about the steps to take with your organization to move toward a zero trust approach, let’s look at the basic features in Okta that we can use to start our journey.

Discovering the basic features of Okta

Okta has a lot of different products, and organizations can pick and choose as they see fit. The most commonly used are the following:

It’s not always obvious in the administrator portal where one product starts and another one ends. This will be clarified in this book. The products will all be explained with practical examples in the coming chapters, but here is an initial overview.

Universal Directory

UD can be considered the foundation of any Okta setup. UD is the directory of your users, groups, and devices. Users can be sourced by Okta, other directories, an HR system, or even any source that contains user data. For organizations with multiple directories, such as AD, LDAP, G Suite, and an HR system, Okta can offer a complete 360-degree view of the users and their attributes consolidated into one system. Users can be sorted into groups created in Okta and imported from a directory or an application. With Okta’s attribute sourcing feature, the attributes of any user can be sourced by different sources.

Single sign-on

SSO lets us connect applications and lets our users access them through Okta. End users will only have to log in to Okta once and can thereafter access any application they have assigned to them. This is done with integrations based on SAML, WS-Federation, or OpenID Connect or with a simple Secure Web Authentication (SWA), where Okta stores credentials and passes them along to the application in a secure way. In the OIN, more than 7,000 integrations are available, and more are added every day. If the required application isn’t available in the OIN, customers can create their own integrations. This will be described in depth in Chapter 3, Using Single Sign-On for a Great End User Experience.

Multifactor authentication and adaptive multifactor authentication

Included in Okta’s SSO product are basic MFA features. You can easily set up policies to let your users utilize different kinds of authenticators after entering their password. Using the basic IP settings, you can set up network zones that protect your users and block bad actors from the outside.

Many third-party MFA solutions can be integrated with Okta, allowing you to leverage existing and perhaps currently deployed solutions into your Okta MFA policies.

If the basic features of MFA aren’t enough for you, Okta’s Adaptive MFA (AMFA) product brings even more advanced options. With AMFA, you can set and use the context in your MFA policies. The context can be location awareness, device fingerprinting and posture, or impossible velocity. Okta’s device trust options allow you to integrate with your third-party MDM systems to generate even more context around your users and devices.

Lifecycle management

So far, the Okta products we’ve looked at have focused a lot on end user experience and security. LCM is all about automation, easing up the friction between HR and IT. With LCM, organizations are better set up for audits. For instance, with your Okta instance set up—with groups, rules, integrations, and system logs—and access given, it’s easy to show when a user had access to what. With the group rules feature, automation takes over access given, removing the risk of manual errors. This will streamline work for the HR and IT departments, allowing them to do the work by creating the user only once in the organization’s systems. The creation, management, and deletion of users and accounts has never been this easy. Automatic account creation also minimizes mistakes caused by human error. A predetermined setup allows the organization to invest time upfront to create and set up the provisioning, and after that, it will automatically run based on the user’s identity and profile.

With Okta’s LCM functionality, you can also automate access control in certain applications. This allows you, with minimal interaction, to manage users with the correct role, license, entitlement, and group access.

Advanced features of Okta

If your organization needs to go deeper than general IAM, you might need to look at Okta’s more advanced features. Let’s look at them now.

Okta Advanced Server Access

Okta ASA lets us extend our zero trust practices toward server accounts. Okta can manage access to both user or service accounts to Linux or Windows servers across different cloud vendors, such as GCP, AWS, and Azure, or on-premises servers. In Okta, your admins get a great overview of who has access to what and can see individual logins in log reports. ASA works with a lightweight agent and is installed in your infrastructure landscape.

Workflows

With Workflows, you can automate many business processes using a simple if this, then that methodology with no-code configurations. Okta provides a library of connections to many popular cloud applications, and Workflows can also integrate with custom APIs. Some examples of where Workflows can be used include the following:

Okta Access Gateway

Okta Access Gateway (OAG) makes it possible to implement modern cloud-based access management to on-premises legacy applications. With this product, you can gather all your identity needs in one place, making them easier to manage. It’s easy to integrate, with templates and native on-premises integrations. By replacing your current web access management (WAM) system, you can bring your applications to your users in a modern and non-restrictive way. Additionally, you can also secure those apps even more with extra MFA functionality.

API Access Gateway

Leveraging Okta’s API Access Gateway allows the developer of your tools, systems, and platforms to be securely managed by Okta, while they can focus on their primary tasks. The processes of adding security and allowing scopes to grant access to your own systems are managed by Okta. The shift of responsibility goes from the developer to the security and operations team. Focusing on management with out-of-box integrations and authorization servers is core to Okta’s API Access Management.

Okta and NIST

To be continuously compliant with today’s regulations and tomorrow’s rules and recommendations, Okta will help organizations follow new frameworks and guidelines that are accepted as the (new) norm.

While you might be working on your zero trust initiative, many organizations will also refer to the cybersecurity framework from the National Institute of Standards and Technology (NIST). As with all guidelines and frameworks, there is no miracle product to implement for compliance. Okta doesn’t cover all aspects that are included in the framework but can indeed help organizations manage the elements relating to IAM and access control.

The five core values of NIST are as follows:

What the framework is basically saying is that organizations need full visibility and control to be secure. As we have seen from the introduction to Okta’s features, by implementing the core features, you get a full 360-degree view of all users, their roles, and their accesses. By implementing AMFA, you can fulfill the requirement of context-based MFA with factors that suit each type of user for each situation.

To find a complete list of the NIST controls that Okta can help with, visit https://www.okta.com/sites/default/files/pdf/Meeting-the-Latest-NIST-Guidelines-Okta-Final.pdf.

Summary

In this chapter, we learned basic details about IAM and how Okta works as a great solution to any IAM needs. We’ve learned about the scenarios in which Okta emerges as an IAM solution. Finally, we learned about the features of Okta and how they work with various platforms to give us dynamic control over user accounts within our organizations. All of this information forms the basis of our understanding for the rest of the book, where we will take a deeper look at Okta and how to make use of all its features.

In the next chapter, we will learn how to work with UD by setting it up and configuring it. We will learn how to add or import users and explore the most important features and policies to help us use UD efficiently.

2

Working with Universal Directory

Universal Directory (UD) is the base of Okta, the foundation on which other pieces are built. Your users and applications will be an intricate part of UD. Groups will be vital for you to keep organized and make your Okta org as low maintenance as possible. In this chapter, you’ll learn everything you need to know to integrate other directories and configurations for users, understand device registrations, and set up groups.

Let’s jump right in and look at what companies might have been using before, and how that can work with Okta.

We will explore the following topics:

Directory integrations

If your