Okta Identity Engine

A set of customizable building blocks for any access experience

The challenge

To create tailored, unique identity experiences, organizations have traditionally been faced with a choice:

Tools cropped new

Build a custom solution from scratch which takes time and may introduce security risks.

Box icon new

Use a pre-defined solution but compromise on the experience.

Organizations need the best of both approaches - a secure, out-of-the-box solution that can be customized to build trusted, tailored user journeys.

The solution

The Okta Identity Engine is a set of customizable building blocks for every access experience, breaking apart pre-defined authentication, authorization and registration flows.

Customers can create dynamic, context-based user journeys, unlocking the ability to address an unlimited number of identity use cases with minimal custom code. Use context about the user, device, app, network, and intent to inform the identity journey of any user, adapting that access experience accordingly. The Okta Identity Engine is made up of a sequence of individual Steps that can handle the entire user journey from registration to authentication to authorization.

Okta Identity Engine Building blocks for access

You can customize the behavior of each Step with Components. Components give you the ability to evaluate policies, trigger Hooks, publish events, prompt the user for action, or direct to an external service. Customizations can vary depending on the use case and the context applied. This means you can configure Okta to skip Steps in the engine. And, you can choose different Steps to run and skip for any app or at any point in the experience, creating a variety of identity sequences.

Okta Identity Engine Customize components New

Based on the customizations applied, Okta can take further actions within each Step to progress the user through their journey:

  • Email magic link authentication
  • Step up authentication
  • Gather more information
  • Identity verification or validation
  • Custom branding
  • Route to an external system

The ability to execute Hooks and publish events, give you the power to support infinite use cases while still leveraging the security guardrails of the Okta Identity Engine. Hooks add extensibility to the Okta Identity Engine, allowing you to add custom code to do modify inflight processes and notify external services. There are two types of Hooks:

Okta Inline Hook arrow

Inline Hook

Allow you to add custom logic to a Component

Okta Event Hook arrow

Event Hooks

Allow you to kickoff downstream integrations based on events published in the Okta System Log

Okta Identity Engine Hooks New

Use cases enabled by the Okta Identity Engine include:

Passwordless users

Allows organizations to eliminate the password. Rather than enrolling a password in an authentication sequence, organizations can use an email magic link to authenticate a user. Organizations can use a passwordless flow for some applications, but for others, require a stronger factor, such as email, push or WebAuthn.

Passwordless authentication using an email-based magic link

Okta Authentication Passwordless Magic Link

Flexible account recovery

Offer modern authentication factors for your users to reset their forgotten password. Instead of being limited to less secure recovery methods such as security questions or SMS, your users can now reset their credentials using more secure factors such as Okta Verify Push and WebAuthN. This improves your end user’s access experience, strengthens your security posture, and decreases your IT Help desk tickets.

Give your users more options to recover their accounts

Identity Engine Flexible Account Recovery

Progressive profiling

To optimize the user experience, enterprises can configure registration for less friction. Minimize initial enrollment with minimal fields to fill, while configuring a later enrollment to require that a user input additional information. For example, an ecommerce site may want to ask for an email address when a user first engages, but then ask for a home address and phone number before making a purchase.

Incrementally build customer profiles over the customer’s lifetime by adding progressive profiling for required and optional attributes.

Limit initial registration forms to the bare minimum and delay asking users for additional information until necessary to reduce abandonment rates.

Okta User Management Progressive Profiling 1

Ask for additional attributes later in the customer journey.

Okta User Management Progressive Profiling2

Per-app branding

Administrators can configure each sequence with separate branding to provide different experiences depending on how a user begins to use its services. For instance, a single hotel loyalty program serving multiple brands or a parent company with different subsidiaries can customize the look and feel of logins depending on a user’s hotel choice or employer.

Customize branding based on app context

Okta Per app branding

App-level policies

Create dynamic sign-on policies that are tailored for different applications based on the behavior, risk level, and context of the user. For example, you may want to enforce a more stringent assurance requirements to gain access to a sensitive app, but relax those requirements if you have high confidence the access request is legitimate given the user’s past behavior and current context.

Customize security policies 

Crafting trusted, tailored user journeys

Putting it all together, organizations can build unique access experiences that are deeply integrated with the rest of their technology stack. For example, a consumer-facing experience looking to minimize friction and abandonment during the registration process could create an experience asks the consumer to just register their name and email. Once registered, an Event Hook can automatically push that user into an email campaign in their email marketing software, Marketo.

Okta Identity Engine Browsing app New II

If the consumer then indicates greater engagement or now wants to access a more sensitive area of the customer experience, that new context of an existing user accessing a higher-risk app can be used in the Okta Identity Engine to tailor the next part of the user journey. For example, you may now want to validate the consumer’s email address and authenticate them with an email magic link. Further, you may choose to ask for additional information from the consumer, with progressive profiling, before authorizing them to proceed.

Okta Identity Engine Ready to transact New

Unlimited possibilities

But that’s just the beginning. With Okta Hooks and Okta Identity Engine, Okta can be securely customized to be the foundation for any digital experience imaginable. A selection of the use cases unlocked include:

  • Allow access to an app with no authentication
  • Register an email address only
  • Register a phone number only
  • Require only email and name on initial registration
  • Require mailing address prior to making a purchase
  • Authenticate a user with an email magic link
  • Never require enrollment of a password as a factor
  • Require enrollment in SMS as a factor prior to making a large checking account withdrawal
  • Fake email validation
  • Prevent fake account creation
  • Fraudulent auth check against business context
  • Different sign-in branding based on ecommerce sub-brand site
  • Different email branding based on ecommerce sub-brand site
  • Different sign-in branding based on subsidiary
  • Different email branding based on subsidiary
  • Add a user to a marketing drip campaign in Marketo after initial registration
  • Add a user to a marketing drip campaign in Marketo after accessing the shopping cart
  • Trigger an alert to PagerDuty on suspicious activity
  • Automatically identify a user based on browser and serve a personalized experience
  • Ask for user consent to store personal data on registration
  • Use a custom policy to determine if a user can be activated
  • Write custom import matching logic when importing users from HR
  • Write custom import matching logic when importing users from CRM
  • Detect username collisions when importing from any source and fix with custom logic
  • Send welcome email for new hires, outside of the Okta new account email
  • Give user a promotion to enter additional optional personal info, such as favorite food
  • Support product export regulations by validating user sign-up prior to purchase
  • Automated email when data changes on users profile (phone/address etc)
  • Use strong factor for password reset flow
  • Export/Write data to g-sheets
  • G-sheets as a master
  • Never store user PII data in Okta for MFA (e.g data residency requirements)
  • Notify admin on high API rates
  • Lock Okta account on PIV/CAC certificate revocation in CRL
  • Trigger Step up MFA in API AM for high security tasks/scopes
  • Prompt users to increase their security posture by enrolling in MFA

Interested in seeing sample applications and custom logic for these use cases and more? Check out the Okta Community Toolkit  ›