Okta provides comprehensive user management offering capability that spans mass user import and provisioning, deprovisioning, and user data and password synchronization.
Built from the ground up as a native cloud service, Okta is architected to be an independent user store. The People tab in Okta gives you one view of your users and groups, and is easy to search and sort. You can quickly drill in to individual users and get detailed user, group, and application assignment information and quickly take administrative action.
Native Okta groups can be used to assign applications and take other actions across a set of people. Groups can also be mapped to, and synchronized with group definitions in other applications or Directories such as Active Directory or Google Apps.
Okta can automatically import users from a variety of directories and applications in order to jumpstart your deployment. Because Okta also serves as an independent user store, you can very easily map a user’s profile in Okta to multiple different identities that person has in a variety of downstream SaaS applications. In fact Okta applies automated matching algorithms to all user imports to do that matching for you. And for apps that don’t have the APIs to support user import, Okta will work with a CSV formatted user list and apply all of the same matching intelligence to those users.
User deactivation is typically triggered from a corporate identity store such as Active Directory. When a user is deactivated from AD, users are automatically deactivated within Okta and a deprovisioning workflow is kicked off to de-provision the user from downstream applications.
The workflow generates a notification to administrators and guides IT to complete any necessary manual identity management tasks associated with a particular user or application.
As part of the deprovisoning process, some accounts need to be manually removed from the application directly. Certain accounts might be shared or used as a personal level. Okta creates a deprovisioning task list as part of the workflow that covers all outstanding users and accounts and ensures that all actions are clearly recorded.
One of the biggest concerns related to deprovisioning is having the ability ensure and record that all administrative actions were taken and that users no longer have access to critical business systems. Within Okta, the entire audit trail is captured for reporting and audit purpose so that you can easily generate historical deprovisioning reports over time by user or by application.
Okta supports a flexible set of provisioning options across your cloud applications. From the Applications homepage with one click you can easily select a set of users and one or more applications and okta will automatically provision the necessary accounts and deploy access to those applications to the targeted users.
Provisioning rules for specific applications can be tied to group membership so that application assignments happen automatically when users are added to a group. Those Okta groups can also be mastered by groups in other systems like security groups in Active Directory so that adding a user to Active Directory with a membership in a “sales” security group can drive the downstream provisioning of a Salesforce.com account for a user via Okta automatically.
Similar to the deprovisioning workflow Okta also provides a provisioning workflow to manage the end to end process of on boarding a user and their application assignments, whether the underlying applications support automated provisioning or not.
Easily automate and customize behaviors. Okta includes a rule engine that has an intuitive user interface that is a distinctively Okta. With a “point-and-click” wizard-based approach, configure rules that import new users, assign apps to people, set user properties in apps and deactivate users.
Stack up multiple rules to form processes, which can be triggered based on a variety of events.
As always, Okta is focused on delivering robust functionality built to be enterprise-grade with a user interface that is as easy to use as the best consumer applications.
Okta enables applications that are integrated for user management in the Okta Application Network to handle bi-directional profile updates. Custom user attributes created in an application sometimes may need to be pushed to other applications or back down to Active Directory. Okta easily allows IT admins to keep those application-created attributes in sync.
For example, enterprise voice systems such as Microsoft Lync and Cisco Unified Communications often generate a SIP address. This address may need to be kept in sync between cloud-based and on-premises systems. Okta can import this attribute from the application, and write it to Active Directory or other applications.
Okta's On-Premises Provisioning Agent extends Okta's ability to provision and deprovision users to any on-premises application or database using a standard SCIM-based interface. Enterprises can ensure access is granted to employees when they need it and automatically removed when necessary. The agent leverages the same secure, reliable architecture underlying Okta's existing directory integration agent that reads and writes to core directories such as Active Directory and LDAP and provides a more general-purpose way of interacting with on-premises systems beyond those two core directories.
Through Okta’s deep Active Directory Integration you can automate Okta user creation and the provisioning and deprovisioning of accounts in your cloud applications.
With JIT provisioning enabled an Okta user account is automatically created the first time a user (who is a valid user in AD) attempts to log into Okta. This streamlines provisioning even further, adding Okta users with minimal work needed from IT.
Okta supports the broadest and deepest set of user management integrations across the cloud apps within the Okta Application Network. You don’t have to worry about how your vendor supports these features or do any integration work yourself, just select the app, configure your options, and deploy.