For as long as we can remember, government IT and security teams have had to choose between agile, modern cloud automation and rigid, legacy cryptographic security frameworks. Now, you don't have to.
While US Government agencies have made massive strides in securing human authentication using tools like smart cards and Okta FastPass, securing machine-to-machine (M2M) communication behind the scenes remains a paramount challenge. As agencies build automated pipelines to manage user lifecycles, provision resources, and orchestrate security operations, those automated workflows must interface with external infrastructure.
Historically, protecting these outbound API connections meant dealing with the headaches of shared secrets, API keys, or basic authentication—methods that introduce severe exposure risks if a single token is leaked. Staying ahead of modern attackers requires extending a dynamic, Zero Trust security model past the login box and directly into automated operations.
That is why we are excited to announce that Okta Workflows now supports outbound mutual TLS (mTLS). Exclusively tailored for organizations operating within our compliance cells, this capability provides public sector teams with a highly secure, certificate-based authentication mechanism designed for the rigorous demands of highly regulated environments.
Why mTLS for Okta Workflows?
By securing the outbound integration layer via cryptographic handshakes—where both sides of a network connection verify their digital identities—mTLS mitigates the vulnerabilities tied to shared tokens.
With Okta Workflows outbound mTLS, federal agencies and their partners can:
- Eliminate secret fatigue: Move away from static API tokens, long-lived keys, and basic authentication, replacing them with rotation-friendly, cryptographically backed identity verification.
- Bridge modern automation with legacy infrastructure: Securely trigger automated workflows that connect seamlessly to older, highly isolated external systems that may not support modern protocols like OAuth but rigidly require certificate-based mutual authentication.
- Enforce non-human Zero Trust: Extend Zero Trust Architecture (ZTA) principles to automated workflows, verifying the workflow engine's explicit cryptographic identity before executing external actions.
How it works: The Workflows trust store
At the core of this capability is the Workflows API Connector and trust store, a secure management layer built natively into your compliance Okta Workflows environment. The API connector and trust store act as your centralized library for the API connections and certificates required to initiate secure outbound connections.
Setting up an outbound mTLS pipeline is designed to tightly constrain trust and security to specific connections:
- Upload a Certificate Authority (CA) certificate: Administrators upload the necessary CA certificate(s) directly to the Workflows trust store, allowing Okta Workflows to definitively verify the identity of the external target service.
- Configure the API Connector: When building or updating an automation flow, admins simply navigate to the API Connector, select mTLS as the authentication type, and tie it to the uploaded certificate.
Once deployed, every outbound action executed by the workflow triggers a mutual cryptographic handshake, validating both sides of the bridge before a single byte of agency data is exchanged.
Customer responsibilities and Federal mandates
Implementing a defense-in-depth security model is a shared journey. While Okta provides a secure environment for building these automations within our federal boundaries, customers retain several responsibilities to ensure compliance with federal mandates like OMB M-22-09 and NIST SP 800-53rev5:
- Endpoint configuration: Customers must ensure their receiving external infrastructure is explicitly configured to require and properly validate mTLS certificates and their issuers.
- FIPS cryptography: In alignment with federal mandates, agencies must verify that cryptographic modules and Certificate Authorities generated and used meet FIPS 140 standards.
- Certificate lifecycle management: Agencies are responsible for managing, auditing, and rotating certificates maintained in the Workflows trust store in accordance with their internal mission and security requirements.
Ready to secure your agency's automated pipelines?
Securing non-human identities and automated infrastructure can be complex. Our Okta Workflows mTLS documentation can help your agency get started on configuring automated mTLS pipelines.
Hear firsthand how Okta is continuing the fight against identity attacks across both human and non-human vectors. Reach out to your Okta representative or watch our Gov Identity Summit sessions on demand to learn how Okta is extending Zero Trust across the federal enterprise.
