Okta Identity Engine
A set of customizable building blocks for any identity experience
The Challenge
To create tailored, unique identity experiences, organizations have traditionally been faced with a choice:
Build a custom solution from scratch which takes time and may introduce security risks.
Use a pre-defined solution but compromise on the experience.
Organizations need the best of both approaches - a secure, out-of-the-box solution that can be customized to build trusted, tailored user journeys.
The Solution
The Okta Identity Engine is a set of customizable building blocks for every identity experience, breaking apart pre-defined authentication, authorization and registration flows.
Customers can create dynamic, context-based user journeys, unlocking the ability to address an unlimited number of identity use cases with minimal custom code.
Use context about the user, device, app, network, and intent to inform the identity journey of any user, adapting that identity experience accordingly.
User
context
Device
context
App
context
Network
context
Intent
The Okta Identity Engine is made up of a sequence of individual Steps that can handle the entire user journey from registration to authentication to authorization.
You can customize the behavior of each Step with Components. Components give you the ability to evaluate policies, trigger Hooks, publish events, prompt the user for action, or direct to an external service. Customizations can vary depending on the use case and the context applied. This means you can configure Okta to skip Steps in the engine. And, you can choose different Steps to run and skip for any app or at any point in the experience, creating a variety of identity sequences.
Based on the customizations applied, Okta can take further actions within each Step to progress the user through their journey:
- Email magic link authentication
- Step up authentication
- Gather more information
- Identity verification or validation
- Custom branding
- Route to an external system
The ability to execute Hooks and publish events, give you the power to support infinite use cases while still leveraging the security guardrails of the Okta Identity Engine. Hooks add extensibility to the Okta Identity Engine, allowing you to add custom code to do modify inflight processes and notify external services. There are two types of Hooks:
Inline Hooks
Allow you to add custom logic to a Component
Event Hooks
Allow you to kickoff downstream integrations based on events published in the Okta System Log
Use cases immediately enabled by the Okta Identity Engine include:
Passwordless users
Allows organizations to eliminate the password. Rather than enrolling a password in an authentication sequence, organizations can use an email magic link to authenticate a user. Organizations can use a passwordless flow for some applications, but for others, require a stronger factor, such as email, push or WebAuthn.
Passwordless authentication using an email-based magic link
Progressive profiling
To optimize the user experience, enterprises can configure registration for less friction. Minimize initial enrollment with minimal fields to fill, while configuring a later enrollment to require that a user input additional information. For example, an ecommerce site may want to ask for an email address when a user first engages, but then ask for a home address and phone number before making a purchase.
Incrementally build customer profiles over the customer’s lifetime by adding progressive profiling for required and optional attributes.
Limit initial registration forms to the bare minimum and delay asking users for additional information until necessary to reduce abandonment rates.
Ask for additional attributes later in the customer journey.
Per-App Branding
Administrators can configure each sequence with separate branding to provide different experiences depending on how a user begins to use its services. For instance, a single hotel loyalty program serving multiple brands or a parent company with different subsidiaries can customize the look and feel of logins depending on a user’s hotel choice or employer.
Customize branding based on app context
Crafting trusted, tailored user journeys
Putting it all together, organizations can build unique identity experiences that are deeply integrated with the rest of their technology stack. For example, a consumer-facing experience looking to minimize friction and abandonment during the registration process could create an experience asks the consumer to just register their name and email. Once registered, an Event Hook can automatically push that user into an email campaign in their email marketing software, Marketo.
If the consumer then indicates greater engagement or now wants to access a more sensitive area of the customer experience, that new context of an existing user accessing a higher-risk app can be used in the Okta Identity Engine to tailor the next part of the user journey. For example, you may now want to validate the consumer’s email address and authenticate them with an email magic link. Further, you may choose to ask for additional information from the consumer, with progressive profiling, before authorizing them to proceed.
Unlimited possibilities
But that’s just the beginning. With Okta Hooks and Okta Identity Engine, Okta can be securely customized to be the foundation for any digital experience imaginable. A selection of the use cases unlocked include:
- Allow access to an app with no authentication
- Register an email address only
- Register a phone number only
- Require only email and name on initial registration
- Require mailing address prior to making a purchase
- Authenticate a user with an email magic link
- Never require enrollment of a password as a factor
- Require enrollment in SMS as a factor prior to making a large checking account withdrawal
- Fake email validation
- Prevent fake account creation
- Fraudulent auth check against business context
- Different sign-in branding based on ecommerce sub-brand site
- Different email branding based on ecommerce sub-brand site
- Different sign-in branding based on subsidiary
- Different email branding based on subsidiary
- Add a user to a marketing drip campaign in Marketo after initial registration
- Add a user to a marketing drip campaign in Marketo after accessing the shopping cart
- Trigger an alert to PagerDuty on suspicious activity
- Automatically identify a user based on browser and serve a personalized experience
- Ask for user consent to store personal data on registration
- Use a custom policy to determine if a user can be activated
- Write custom import matching logic when importing users from HR
- Write custom import matching logic when importing users from CRM
- Detect username collisions when importing from any source and fix with custom logic
- Send welcome email for new hires, outside of the Okta new account email
- Give user a promotion to enter additional optional personal info, such as favorite food
- Support product export regulations by validating user sign-up prior to purchase
- Automated email when data changes on users profile (phone/address etc)
- Use strong factor for password reset flow
- Export/Write data to g-sheets
- G-sheets as a master
- Never store user PII data in Okta for MFA (e.g data residency requirements)
- Notify admin on high API rates
- Lock Okta account on PIV/CAC certificate revocation in CRL
- Trigger Step up MFA in API AM for high security tasks/scopes
- Prompt users to increase their security posture by enrolling in MFA
Interested in seeing sample applications and custom logic for these use cases and more? Check out the Okta Community Toolkit ›
Albertsons interacts with over 34 million customers a week, providing the products they want, at a fair price, with great customer service. As one of the largest grocers in the country, we recognize how important it is to adapt and grow, meeting our customers wherever they are. The Okta Identity Engine provides us with a flexible solution to digital identity.
Ramiya Iyer, Global Vice President of IT, Digital and Marketing of Albertsons.