Advanced Server Access

Elegant Zero Trust identity & access management for cloud native infrastructure

Extend secure privileged access and automate the lifecycle of server accounts and policies across dynamic fleets of infrastructure at any scale

ASA
Cloud icon

Designed for elastic cloud infrastructure

Unified identity and centralized access controls across any hybrid or multi-cloud environment.

Authentication icon

Eliminates credential management pain

Backed by an ephemeral client certificate architecture that replaces static SSH keys & passwords

Integrations icon

Automates server admin onboarding at scale

Local server accounts and policies are automatically provisioned and deprovisioned to downstream servers from Okta as the source of truth

Compliance icon

Delivers a seamless user experience

Designed to work out of the box with your existing SSH & RDP tools, and is easy to configure via API

Designed for elastic cloud infrastructure

Unified identity and centralized access controls across any hybrid or multi-cloud environment

Secure server access across any cloud

Okta provides a central control plane as a SaaS for controlling access to Linux and Windows servers across AWS, GCP, Azure, or on-premises, abstracting the complexities of managing IAM at scale.

Secure server access across any cloud
  • Okta as the source of truth for downstream server user & group accounts
  • Central control plane for managing command-level sudo entitlements
  • Automated provisioning and deprovisioning of local accounts & policies
  • Streamlined Single-sign on and Multi-factor authentication for SSH & RDP workflows

Lightweight agent approach

Okta Advanced Server Access ships with a lightweight server agent, installed through a few lines of bash or PowerShell baked directly into your infrastructure automation tools.

user

Manage local user and group accounts

Prevent data breaches

Manage fine-grained sudo entitlements

news

Capture login events as structured logs

Supported operating systems:

  • Windows 2012 and 2012r2
  • Windows 2016
  • Ubuntu >= 12.04
  • Amazon Linux
  • RedHat >= 6
  • CentOS >= 6
  • Debian Stable
  • FreeBSD

Integrates with your Infrastructure as Code

Okta streamlines the automation of identity & access controls across your infrastructure fleet using any infrastructure automation or configuration management tool of your choice. To learn how to automate Okta Advanced Server Access via your DevOps tools, visit the documentation ›.

Chef - Okta Integration
Puppet - Okta Integration
Ansible - Okta Integration
Terraform - Okta Integration

Eliminates credential management pain

Advanced Server Access is backed by an ephemeral client certificate architecture that replaces static SSH keys & passwords, elegantly mitigating the risk of credential theft & misuse.

Zero Trust server auth

Every login is independently authenticated and authorized, and issued a short-lived tightly scoped credential to match.

Okta Advanced Server Access Zero Trust Server Authentication

1. Users login to a server directly from their local SSH or RDP tools - integrated with the Client Application
2. Okta authenticates the user & device, then authorizes the request against the respective role-based access controls
3. A built-in CA mints a short-lived client certificate tightly scoped to the individual request
4. The Client uses the certificate to initiate a secure SSH or RDP session with the target server
5. The login event is captured via the server agent, and sent to the audit log or 3rd party SIEM service

Granular audit of server access

Clear record of who accessed what server from which device and when - exposed via Dashboard or exported to your SIEM.

Granular audit of server access
  • Audit events captured in real-time via the Server Agent
  • Audit events as structured logs for better searchability and alertability
  • Captures all access decisions, login events, configuration changes, and enrollments

Automates server admin onboarding at scale

Local server accounts and policies are automatically provisioned and deprovisioned across all downstream servers with Okta as the source of truth.

The only Identity-first approach to server access

Keep a unified directory of server users, groups, and policies within Okta Universal Directory, replacing the need to manage and protect shared accounts & shared credentials.

The only Identity-first approach to server access
  • Assign Okta users and groups to Advanced Server Access as a downstream application
  • Apply role-based access to groups of servers within Advanced Server Access
  • The Server Agent creates and manages local Linux and Windows accounts based on group membership

Central control plane for managing and deploying least privilege access

Okta enables command-level permissions via sudo entitlements as a function of its role-based access controls

Central control plane for managing and deploying least privilege access
  • Admins can create sudo entitlements in the form of executables, directories, or raw commands
  • Entitlements are bound to specific groupings of servers via role-based access controls
  • The Server Agent writes sudo entitlements as local drop-in files, managing its end-to-end lifecycle

Automate user, group, and policy provisioning and deprovisioning at scale

Okta manages the end-to-end lifecycle of server users, groups, and policies directly from Universal Directory across infrastructure fleets of any scale.

Automate user, group, and policy provisioning and deprovisioning at scale
  • On startup, the Server Agent creates assigned user and group accounts, and writes assigned sudo entitlements
  • The Server Agent periodically calls out to the backend API for any changes in user status, group membership, or sudo entitlements, and updates accordingly
  • The direct relationship between Okta and downstream servers replaces the need to operate any intermediary directory services such as AD or LDAP

Delivers a seamless user experience

Designed to work out of the box with your existing SSH & RDP tools, and is easy to configure via API

SSH & RDP integrations

The Client Application integrates with your local tools, allowing you to simply use SSH & RDP as you normally would, transparently interacting with Okta for auth behind the scenes.

SSH Proxycommand
RDP GUI Tools
SSH Proxycommand
SSH Proxycommand

A clever feature of OpenSSH allows you to just type ssh from the command line to call the Client Application.

More
RDP GUI Tools
RDP GUI Tools

Open your local RDP GUI automatically from the command line using the CLI.

More

Extensible API

Everything about Okta is exposed as an API, allowing you to automate your identity & access controls with ease.

Extensible API
  • Manage Okta projects
  • Manage Users + groups
  • Enroll servers with Okta
  • Preauthorise user access
  • Manage service users
  • Invite users to Okta

Advanced Server Access

Ready to secure your infrastructure with Okta? Try Advanced Server Access free for 30 days.

Personal Capital.