Advanced Server Access
Zero Trust access management for infrastructure that just works
Extend core Okta Identity & Access to your Linux and Windows servers via SSH & RDP in an elegant manner built for the modern cloud.
Designed for elastic cloud infrastructure
Abstracts the complexities of IAM at scale across any cloud, public or private.
Unified server access across any cloud
Okta provides a central control plane for access Linux and Windows servers via SSH and RDP.
- Okta is the single source of truth for local server user & group accounts
- Automated provisioning & deprovisioning of local accounts
- Streamlined Single-Sign On for SSH & RDP workflows
- Ability to inject contextual access controls inline server auth
Lightweight agent approach
The Server Agent is installed on your servers through a few lines of bash or powershell baked into your automation.
Manage the local user and group accounts
Capture login events for auditing
Configure server for client certificate auth
Supported operating systems:
- Windows 2012 and 2012r2
- Windows 2016
- Ubuntu >= 12.04
- Amazon Linux
- RedHat >= 6
- CentOS >= 6
- Debian Stable
- FreeBSD
Automated enrollment process
Okta makes it easy to enroll servers and cloud instances via automation, keeping up with your elastic infrastructure without manual intervention.
Associate a cloud account with an Okta Project.
Bake an enrollment token into your configuration management.
Integrates with your Configuration Management
Okta streamlines the automation of identity & access controls across your infrastructure fleet using any Configuration Management provider of your choice.
Eliminates credential management pain
Backed by an ephemeral client certificate architecture that replaces static keys, elegantly mitigating the risk of credential theft and misuse.
Zero Trust server auth
Every login is independently authenticated and authorized, and issued a short-lived tightly scoped credential to match.
1. Users login to a server directly from their local SSH or RDP tools - integrated with the Client Application
2. Okta authenticates the user & device, then authorizes the request against the respective role-based access controls
3. A built-in CA mints a short-lived client certificate tightly scoped to the individual request
4. The Client uses the certificate to initiate a secure SSH or RDP session with the target server
5. The login event is captured via the server agent, and sent to the audit log or 3rd party SIEM service
Granular audit of server access
Clear record of who accessed what server from which device and when - exposed via Dashboard or exported to your SIEM.
- Audit events captured in real-time via the Server Agent
- Audit events as structured logs for better searchability and alertability
- Captures all access decisions, login events, configuration changes, and enrollments
Automates account lifecycle management
Local server accounts are provisioned and deprovisioned from Okta as the source of truth.
Universal Directory as the source of truth for local server accounts
Unified server access tied to your Identity Provider, replacing the need to manage and protect shared accounts.
- Okta creates and manages local server accounts for Linux and Windows via the Server Agent
- Local accounts can be granted Admin rights - sudo for Linux, Administrator for Windows
Automatically provision/deprovision users
End-to-end lifecycle management of local server user accounts straight from Universal Directory.
- Users assigned to Advanced Server Access are provisioned to the downstream application
- Users who are assigned to an Okta project within Advanced Server Access are provisioned to the downstream servers
- Any change in users - create, update, delete - is picked up automatically, and reflected on the servers near instantly
Push groups downstream
End-to-end lifecycle management of local server group accounts straight from Universal Directory.
- Groups assigned to Advanced Server Access are provisioned to the downstream application via SCIM
- Group membership is reflected on the downstream application, and local users are created when assigned to an Okta Project
- Any change in groups or group membership is picked up automatically, and reflected on the servers near instantly
Delivers a seamless user experience
Designed to work out of the box with your local SSH & RDP tools, and easy to configure via API.
SSH & RDP integrations
The Client Application integrates with your local tools, allowing you to simply use SSH & RDP as you normally would, transparently interacting with Okta for auth behind the scenes.
A clever feature of OpenSSH allows you to just type ssh from the command line to call the Client Application.
Open your local RDP GUI automatically from the command line using the CLI.
Extensible API
Everything about Okta is exposed as an API, allowing you to automate your identity & access controls with ease.
- Manage Okta projects
- Manage Users + groups
- Enroll servers with Okta
- Preauthorize user access
- Manage service users
- Invite users to Okta
Learn more
Learn more
Read the product documentation
Advanced Server Access
Ready to secure your infrastructure with Okta? Try Advanced Server Access free for 30 days.
Customer Journey
With the Okta Identity Cloud, Personal Capital can manage its large-scale cloud environment easily and securely
400
employees using Okta for easy access to their work