14- How Okta Integrates Applications Flashcards
What are the behind the scenes steps that enable SSO for AD authenticated internal web application
- Okta is configured to delegate authentication to AD.
- Customer has on-premises apps authenticating to AD.
- User logs into Okta with AD credentials.
- User accesses App 1 and App 2 with SWA using AD credentials.
- App 1 and App 2 authenticate user against AD.
How does SWA work
- Okta can leverage its Secure Web Authentication protocol to automatically log users into these internal web applications.
- When an internal web application is configured to delegate authentication to AD (the same source to which Okta delegates authentication), Okta captures the user’s AD password at login and automatically sets that password for that user in any applications that also delegate to AD.
- This allows users to simply click a link to access these applications, and then be logged in automatically. Note that Okta synchronizes the AD password securely;
- If the password subsequently changes in AD, this event is captured on login to Okta and immediately updated in the secure password store for that application, ensuring that the next login attempt will be successful.
What are the 3 tenants of user management
- User management is defined as the provisioning of new accounts for new users, deprovisioning of accounts for deactivated users, and keeping user attributes synchronized across multiple directories as necessary.
- Okta’s user management features enable the service to automatically manage user accounts within applications, saving you time and money and ensuring correct access privileges are always up to date.
- User management is bidirectional, so accounts can be created inside the application and imported into Okta, or account information can be added to Okta and then pushed to the corresponding applications.
What are the 3 core areas of User Management
There are three core areas of user management functionality that Okta provides:
- Bulk user import (from a variety of sources)
- Ability to natively create, read, update, and delete (CRUD) users within Okta
- Password synchronization / password push (across multiple directories)
What Standards does Okta use for User Management
- For user management integrations Okta supports OAuth 2.0 based authentication,
- And if an application supports lesser known standards such as SCIM or SPML, Okta can leverage those for user management as well.
- Similar to SSO access, Okta does the work of connecting to these APIs for you; there is no “connector” work for you to do yourself.
- To enable user management you simply configure Okta with credentials for your API user and select the features that you would like. Everything else is handled by the Okta service, including continuous automated testing and (if necessary) updates as the capabilities of the application inevitably evolve.
How does Okta manage User Managment with on-premises applications
On-premises applications can also be integrated into Okta to enable user management. This can be done in one of two ways:
- leveraging Active Directory or
- Using web services to manage user accounts in applications:
How does Okta manage users in HRMS
For enterprises that on-board users via an HRMS like Workday, Okta can support user management into on-premises applications by using Active Directory as a meeting point.
You can configure Okta to mange accounts in your Active Directory instance, and Okta will create and update users in AD based on user accounts in Workday. This information can then be used by any on-premises web application that uses Active Directory as its user store.
How Does Okta Provide User Managment for on-prem apps that has a web service?
- Alternatively, Okta’s can support user management for any on-premises web application that has a web services API that can be made available to the Okta service via a publicly addressable connection.
Okta will make calls to that application’s web service to create new user accounts, update attributes, and deactivate users as needed based on the user assignment rules configured in the Okta service. Okta can provide detailed examples of web services APIs as well.
What is Okta’ advantage to SSO
Single-sign on and user management are key requirements of any enterprise adopting cloud and mobile applications alongside their existing web-based on-prem applications.
- SSO, as the name implies, only truly works when all applications are covered, and therefore any credible SSO solution must support a variety of methods to integrate all the web and mobile applications you need to run your company.
- Okta uniquely enables SSO into any web or mobile application using open standards, or proprietary APIs, or Secure Web Authentication (SWA) and by SAML-enabling on-prem web applications. Additionally, user management comes pre-integrated for all of the cloud applications that support this functionality, and on premises apps can be easily incorporated via AD integration or by provisioning and de-provisioning directly to supported APIs.