Advanced Server Access

Unified identity & access purpose-built for dynamic hybrid and multi-cloud environments

Remove barriers to scale by automating server accounts and policies with Okta as the source of truth

Enforce least privileged access controls to adhere to SOC2, PCI-DSS, and FedRAMP guidelines

Extend familiar SSO & MFA workflows to SSH & RDP authentication for human and service user use cases

• Okta Universal Directory is the source of truth for server users and their attributes, and groups and their membership
• Independent SaaS control plane for managing server role-based access controls and command-level entitlements
• End-to-end Lifecycle Management of server accounts and policies down to the OS-level
• Seamless Single-Sign On and Multi-Factor Authentication workflows extended to SSH & RDP

• Synchronizes with Okta for auth processes
• Integrated with local SSH & RDP tools
• Brokers certificate-based authentication
• Available for: 
  • MacOS
  • Windows
  • Linux

• Configures servers for certificate-based authentication
• Manages local user and group accounts
• Manages local sudo entitlements
• Periodic check-in for changes to update
• Captures and audits login events
• Available for:
  • Ubuntu >= 12.04
  • Amazon Linux
  • RedHat >= 6
  • CentOS >= 6
  • Debian Stable
  • FreeBSD
  • Windows 2012 and 2012r2
  • Windows 2016

• Assign Okta users and groups to Advanced Server Access as a downstream application
• Apply role-based access to groups of servers within Advanced Server Access
• The Server Agent creates and manages local Linux and Windows accounts based on group membership

• Admins can create sudo entitlements in the form of executables, directories, or raw commands
• Entitlements are bound to specific groupings of servers via role-based access controls
• The Server Agent writes sudo entitlements as local drop-in files, managing its end-to-end lifecycle

• On startup, the Server Agent creates assigned user and group accounts, and writes assigned sudo entitlements
• The Server Agent periodically calls out to the backend API for any changes in user status, group membership, or sudo entitlements, and updates accordingly
• The direct relationship between Okta and downstream servers replaces the need to operate any intermediary directory services such as AD or LDAP

1. Users login to a server directly from their local SSH or RDP tools - integrated with the Client Application
2. Okta authenticates the user & device, then authorizes the request against the respective role-based access controls
3. A built-in CA mints a short-lived client certificate tightly scoped to the individual request
4. The Client uses the certificate to initiate a secure SSH or RDP session with the target server
5. The login event is captured via the server agent, and sent to the audit log or 3rd party SIEM service

• Audit events captured in real-time via the Server Agent
• Audit events as structured logs for better searchability and alertability
• Captures all access decisions, login events, configuration changes, and enrollments

• SSH Gateways are bastion hosts in your environment assigned to servers by labels
• Sessions are captured as inputs and outputs, including interactive uses such as vim
• Sessions data is captured on the SSH Gateway, encrypted, and delivered to the location you configure

• Manage Okta projects
• Manage Users + groups
• Enroll servers with Okta

• Preauthorise user access
• Manage service users
• Invite users to Okta

• Connect Advanced Server Access to Okta Workflows
• Connector posts a preauthorization for a specific user for a specific time window
• Integrate with events such as a new ticket in ServiceNow or approval in Slack