Advanced Server Access
Elegant Zero Trust identity & access management for cloud native infrastructure
Extend secure privileged access and automate the lifecycle of server accounts and policies across dynamic fleets of infrastructure at any scale
Designed for elastic cloud infrastructure
Unified identity and centralized access controls across any hybrid or multi-cloud environment
Secure server access across any cloud
Okta provides a central control plane as a SaaS for controlling access to Linux and Windows servers across AWS, GCP, Azure, or on-premises, abstracting the complexities of managing IAM at scale.
- Okta as the source of truth for downstream server user & group accounts
- Central control plane for managing command-level sudo entitlements
- Automated provisioning and deprovisioning of local accounts & policies
- Streamlined Single-Sign On and Multifactor Authentication for SSH & RDP workflows
Lightweight agent approach
Okta Advanced Server Access ships with a lightweight server agent, installed through a few lines of bash or PowerShell baked directly into your infrastructure automation tools.
Manage local user and group accounts
Manage fine-grained sudo entitlements
Capture login events as structured logs
Supported operating systems:
- Windows 2012 and 2012r2
- Windows 2016
- Ubuntu >= 12.04
- Amazon Linux
- RedHat >= 6
- CentOS >= 6
- Debian Stable
- FreeBSD
Integrates with your Infrastructure as Code
Okta streamlines the automation of identity & access controls across your infrastructure fleet using any infrastructure automation or configuration management tool of your choice. To learn how to automate Okta Advanced Server Access via your DevOps tools, visit the documentation ›.
Eliminates credential management pain
Advanced Server Access is backed by an ephemeral client certificate architecture that replaces static SSH keys & passwords, elegantly mitigating the risk of credential theft & misuse.
Zero Trust server auth
Every login is independently authenticated and authorized, and issued a short-lived tightly scoped credential to match.
1. Users login to a server directly from their local SSH or RDP tools - integrated with the Client Application
2. Okta authenticates the user & device, then authorizes the request against the respective role-based access controls
3. A built-in CA mints a short-lived client certificate tightly scoped to the individual request
4. The Client uses the certificate to initiate a secure SSH or RDP session with the target server
5. The login event is captured via the server agent, and sent to the audit log or 3rd party SIEM service
Granular audit of server access
Clear record of who accessed what server from which device and when - exposed via Dashboard or exported to your SIEM.
- Audit events captured in real-time via the Server Agent
- Audit events as structured logs for better searchability and alertability
- Captures all access decisions, login events, configuration changes, and enrollments
Automates server admin onboarding at scale
Local server accounts and policies are automatically provisioned and deprovisioned across all downstream servers with Okta as the source of truth.
The only Identity-first approach to server access
Keep a unified directory of server users, groups, and policies within Okta Universal Directory, replacing the need to manage and protect shared accounts & shared credentials.
- Assign Okta users and groups to Advanced Server Access as a downstream application
- Apply role-based access to groups of servers within Advanced Server Access
- The Server Agent creates and manages local Linux and Windows accounts based on group membership
Central control plane for managing and deploying least privilege access
Okta enables command-level permissions via sudo entitlements as a function of its role-based access controls
- Admins can create sudo entitlements in the form of executables, directories, or raw commands
- Entitlements are bound to specific groupings of servers via role-based access controls
- The Server Agent writes sudo entitlements as local drop-in files, managing its end-to-end lifecycle
Automate user, group, and policy provisioning and deprovisioning at scale
Okta manages the end-to-end lifecycle of server users, groups, and policies directly from Universal Directory across infrastructure fleets of any scale.
- On startup, the Server Agent creates assigned user and group accounts, and writes assigned sudo entitlements
- The Server Agent periodically calls out to the backend API for any changes in user status, group membership, or sudo entitlements, and updates accordingly
- The direct relationship between Okta and downstream servers replaces the need to operate any intermediary directory services such as AD or LDAP
Delivers a seamless user experience
Designed to work out of the box with your existing SSH & RDP tools, and is easy to configure via API
SSH & RDP integrations
The Client Application integrates with your local tools, allowing you to simply use SSH & RDP as you normally would, transparently interacting with Okta for auth behind the scenes.
A clever feature of OpenSSH allows you to just type ssh from the command line to call the Client Application.
Open your local RDP GUI automatically from the command line using the CLI.
Extensible API
Everything about Okta is exposed as an API, allowing you to automate your identity & access controls with ease.
- Manage Okta projects
- Manage Users + groups
- Enroll servers with Okta
- Preauthorise user access
- Manage service users
- Invite users to Okta
Learn more
Learn more
Read the product documentation
Advanced Server Access
Ready to secure your infrastructure with Okta? Try Advanced Server Access free for 30 days.
Customer Journey
With the Okta Identity Cloud, Personal Capital can manage its large-scale cloud environment easily and securely
400
employees using Okta for easy access to their work