Advanced Server Access

Automate identity and access management across dynamic server fleets at any scale

ASA
Cloud icon

Adapt to the cloud operating model

Unified identity & access purpose-built for dynamic hybrid and multi-cloud environments

Integrations icon

Automate server lifecycle management

Remove barriers to scale by automating server accounts and policies with Okta as the source of truth

Authentication icon

Solve compliance with less burden

Enforce least privileged access controls to adhere to SOC2, PCI-DSS, and FedRAMP guidelines

Compliance icon

Keep developers secure & happy

Extend familiar SSO & MFA workflows to SSH & RDP authentication for human and service user use cases

Adapt to the cloud operating model

Unified identity & access purpose-built for dynamic hybrid and multi-cloud environments

Secure server access across any cloud

Okta Advanced Server Access enables you to manage and automate identity and access controls for Linux and Windows servers in the cloud or on-premises.

Secure server access across any cloud
  • Okta Universal Directory is the source of truth for server users and their attributes, and groups and their membership
  • Independent SaaS control plane for managing server role-based access controls and command-level entitlements
  • End-to-end Lifecycle Management of server accounts and policies down to the OS-level
  • Seamless Single-Sign On and Multi-Factor Authentication workflows extended to SSH & RDP

Lightweight client-server approach

Okta Advanced Server Access is delivered as a SaaS, shipped with a lightweight server agent and client application.

Client application

  • Synchronizes with Okta for auth processes
  • Integrated with local SSH & RDP tools
  • Brokers certificate-based authentication
  • Available for: 
    • MacOS
    • Windows
    • Linux

Server agent

  • Configures servers for certificate-based authentication
  • Manages local user and group accounts
  • Manages local sudo entitlements
  • Periodic check-in for changes to update
  • Captures and audits login events
  • Available for:
    • Ubuntu >= 12.04
    • Amazon Linux
    • RedHat >= 6
    • CentOS >= 6
    • Debian Stable
    • FreeBSD
    • Windows 2012 and 2012r2
    • Windows 2016

Integrates with your Infrastructure as Code

Okta streamlines the automation of identity & access controls across your infrastructure fleet using any infrastructure automation or configuration management tool of your choice. To learn how to automate Okta Advanced Server Access via your DevOps tools, visit the documentation ›.

Chef - Okta Integration
Puppet - Okta Integration
Ansible - Okta Integration
Terraform - Okta Integration

Certified Terraform Provider for Okta Advanced Server Access

NEW: Now developers who use HashiCorp Terraform to automate infrastructure provisioning across AWS, GCP, and Azure, can configure Advanced Server Access in parallel with a certified Terraform Provider.

Available on Github

Automate Server Lifecycle Management

Remove barriers to scale by automating server accounts and policies with Okta as the source of truth

The only Identity-first approach to server access

Keep a unified directory of server users, groups, and policies within Okta Universal Directory, replacing the need to manage and protect shared accounts & shared credentials.

The only Identity-first approach to server access
  • Assign Okta users and groups to Advanced Server Access as a downstream application
  • Apply role-based access to groups of servers within Advanced Server Access
  • The Server Agent creates and manages local Linux and Windows accounts based on group membership

Central control plane for managing and deploying least privilege access

Okta enables command-level permissions via sudo entitlements as a function of its role-based access controls

Central control plane for managing and deploying least privilege access
  • Admins can create sudo entitlements in the form of executables, directories, or raw commands
  • Entitlements are bound to specific groupings of servers via role-based access controls
  • The Server Agent writes sudo entitlements as local drop-in files, managing its end-to-end lifecycle

Automate user, group, and policy provisioning and deprovisioning at scale

Okta manages the end-to-end lifecycle of server users, groups, and policies directly from Universal Directory across infrastructure fleets of any scale.

Automate user, group, and policy provisioning and deprovisioning at scale
  • On startup, the Server Agent creates assigned user and group accounts, and writes assigned sudo entitlements
  • The Server Agent periodically calls out to the backend API for any changes in user status, group membership, or sudo entitlements, and updates accordingly
  • The direct relationship between Okta and downstream servers replaces the need to operate any intermediary directory services such as AD or LDAP

Solve compliance with less burden

Enforce least privileged access controls to adhere to SOC2, PCI-DSS, and FedRAMP guidelines.

Zero Trust architecture to enforce least privileged access

Every login is independently authenticated and authorized, and issued a short-lived tightly scoped credential to match.

Okta Advanced Server Access Zero Trust Server Authentication

1. Users login to a server directly from their local SSH or RDP tools - integrated with the Client Application
2. Okta authenticates the user & device, then authorizes the request against the respective role-based access controls
3. A built-in CA mints a short-lived client certificate tightly scoped to the individual request
4. The Client uses the certificate to initiate a secure SSH or RDP session with the target server
5. The login event is captured via the server agent, and sent to the audit log or 3rd party SIEM service

Granular audit of server login events

Clear record of who accessed what server from which device and when - exposed via Dashboard or exported to your SIEM.

Granular audit of server access
  • Audit events captured in real-time via the Server Agent
  • Audit events as structured logs for better searchability and alertability
  • Captures all access decisions, login events, configuration changes, and enrollments

Capture & log interactive SSH sessions

Funnel traffic through an SSH Gateway service that captures interactive sessions and delivers to a secure object storage location in your environment.

Web Gateways
  • SSH Gateways are bastion hosts in your environment assigned to servers by labels
  • Sessions are captured as inputs and outputs, including interactive uses such as vim
  • Sessions data is captured on the SSH Gateway, encrypted, and delivered to the location you configure

Keep developers secure & happy

Extend familiar SSO & MFA workflows to SSH & RDP authentication for human and service user use cases

SSH & RDP integrations

The Client Application integrates with your local tools, allowing you to simply use SSH & RDP as you normally would, transparently interacting with Okta for auth behind the scenes.

SSH Proxycommand
RDP GUI Tools
SSH Proxycommand
SSH Proxycommand

A clever feature of OpenSSH allows you to just type ssh from the command line to call the Client Application.

More
RDP GUI Tools
RDP GUI Tools

Open your local RDP GUI automatically from the command line using the CLI.

More

Extensible API

Everything about Okta is exposed as an API, allowing you to automate your identity & access controls with ease.

Extensible API
  • Manage Okta projects
  • Manage Users + groups
  • Enroll servers with Okta
  • Preauthorise user access
  • Manage service users
  • Invite users to Okta

Okta ASA Connector for Workflows

Automate time-based access to servers based on events through a simple no-code Workflows integration.

ASA - Workflows
  • Connect Advanced Server Access to Okta Workflows
  • Connector posts a preauthorization for a specific user for a specific time window
  • Integrate with events such as a new ticket in ServiceNow or approval in Slack

Advanced Server Access

Ready to secure your infrastructure with Okta? Try Advanced Server Access free for 30 days.

Personal Capital.