Okta Identity Engine

A set of customisable building blocks for any access experience

Organisations need a secure, out-of-the-box solution that can be customised to build trusted, tailored user journeys.

To create tailored, unique identity experiences, organisations have traditionally been faced with a choice:

Build a custom solution from scratch which takes time and may introduce security risks.

Use a pre-defined solution but compromise on the experience.

The Okta Identity Engine is a set of customisable building blocks for every access experience

Break apart pre-defined authentication, authorisation, and registration flows

Customers can create dynamic, context-based user journeys, unlocking the ability to address an unlimited number of identity use cases with minimal custom code. Use context about the user, device, app, network, and intent to inform the identity journey of any user, adapting that access experience accordingly. The Okta Identity Engine is made up of a sequence of individual Steps that can handle the entire user journey from registration to authentication to authorisation.

Identity Engine - building blocks for access

Customise the behavior of each step with Components

Components give you the ability to evaluate policies, trigger Hooks, publish events, prompt the user for action, or direct to an external service. Customisations can vary depending on the use case and the context applied. This means you can configure Okta to skip Steps in the engine. And, you can choose different Steps to run and skip for any app or at any point in the experience, creating a variety of identity sequences.

Customise user journeys

Based on the customisations applied, Okta can take further actions within each step to progress the user through their journey.

Email magic link authentication

Step up authentication

Gather more information

Identity verification or validation

Custom branding

Route to an external system

Hooks

The ability to execute Hooks and publish events, give you the power to support infinite use cases while still leveraging the security guardrails of the Okta Identity Engine. Hooks add extensibility to the Okta Identity Engine, allowing you to add custom code to do modify inflight processes and notify external services. There are two types of Hooks:

Inline Hook - Allow you to add custom logic to a Component
Event Hooks - Allow you to kickoff downstream integrations based on events published in the Okta System Log

Use cases enabled by the Okta Identity Engine

Passwordless users

Passwordless authentication using an email-based magic link

Allows organisations to eliminate the password. Rather than enrolling a password in an authentication sequence, organisations can use an email magic link to authenticate a user. Organisations can use a passwordless flow for some applications, but for others, require a stronger factor, such as email, push or WebAuthn.

Flexible account recovery

Give your users more options to recover their accounts

Users can now reset their password with Okta Verify Push, in addition to Email or Phone (SMS, Voice Call) authenticators. If admins require a step up authentication, end users now can use any enrolled authenticator. This improves your end user's access experience, strengthens your security posture, and decreases your IT Help desk tickets.

Progressive profiling

Incrementally build customer profiles over the customer’s lifetime by adding progressive profiling for required and optional attributes

To optimise the user experience, enterprises can configure registration for less friction. Minimise initial enrollment with minimal fields to fill, while configuring a later enrollment to require that a user input additional information. For example, an ecommerce site may want to ask for an email address when a user first engages, but then ask for a home address and phone number before making a purchase.

Okta User Management Progressive Profiling 1

Limit initial registration forms to the bare minimum and delay asking users for additional information until necessary to reduce abandonment rates.

Okta User Management Progressive Profiling2

Ask for additional attributes later in the customer journey.

Features

Per-app branding

Customise branding based on app context

Administrators can configure each sequence with separate branding to provide different experiences depending on how a user begins to use its services. For instance, a single hotel loyalty program serving multiple brands or a parent company with different subsidiaries can customise the look and feel of logins depending on a user’s hotel choice or employer.

Customise security policies

Create dynamic sign-on policies that are tailored for different applications based on the behaviour, risk level, and context of the user. For example, you may want to enforce a more stringent assurance requirements to gain access to a sensitive app, but relax those requirements if you have high confidence the access request is legitimate given the user’s past behaviour and current context.

Crafting trusted, tailored user journeys

Putting it all together, organisations can build unique access experiences that are deeply integrated with the rest of their technology stack. For example, a consumer-facing experience looking to minimise friction and abandonment during the registration process could create an experience asks the consumer to just register their name and email. Once registered, an Event Hook can automatically push that user into an email campaign in their email marketing software, Marketo.

If the consumer then indicates greater engagement or now wants to access a more sensitive area of the customer experience, that new context of an existing user accessing a higher-risk app can be used in the Okta Identity Engine to tailor the next part of the user journey. For example, you may now want to validate the consumer’s email address and authenticate them with an email magic link. Further, you may choose to ask for additional information from the consumer, with progressive profiling, before authorizing them to proceed.

But that’s just the beginning. With Okta Hooks and Okta Identity Engine, Okta can be securely customized to be the foundation for any digital experience imaginable. A selection of the use cases unlocked include:

Allow access to an app with no authentication
Register an email address only
Register a phone number only
Require only email and name on initial registration
Require mailing address prior to making a purchase
Authenticate a user with an email magic link
Never require enrollment of a password as a factor
Require enrollment in SMS as a factor prior to making a large checking account withdrawal
Fake email validation
Prevent fake account creation
Fraudulent auth check against business context
Different sign-in branding based on ecommerce sub-brand site
Different email branding based on ecommerce sub-brand site
Different sign-in branding based on subsidiary
Different email branding based on subsidiary
Add a user to a marketing drip campaign in Marketo after initial registration
Add a user to a marketing drip campaign in Marketo after accessing the shopping cart
Trigger an alert to PagerDuty on suspicious activity
Automatically identify a user based on browser and serve a personalised experience
Ask for user consent to store personal data on registration

Use a custom policy to determine if a user can be activated
Write custom import matching logic when importing users from HR
Write custom import matching logic when importing users from CRM
Detect username collisions when importing from any source and fix with custom logic
Send welcome email for new hires, outside of the Okta new account email
Give user a promotion to enter additional optional personal info, such as favourite food
Support product export regulations by validating user sign-up prior to purchase
Automated email when data changes on users profile (phone/address etc)
Use strong factor for password reset flow
Export/Write data to g-sheets
G-sheets as a master
Never store user PII data in Okta for MFA (e.g data residency requirements)
Notify admin on high API rates
Lock Okta account on PIV/CAC certificate revocation in CRL
Trigger Step up MFA in API AM for high security tasks/scopes
Prompt users to increase their security posture by enrolling in MFA

Interested in seeing sample applications and custom logic for these use cases and more?
Check out the Okta Community Toolkit

Ramiya Iyer

Global Vice President of IT, Digital and Marketing

Albertsons interacts with over 34 million customers a week, providing the products they want, at a fair price, with great customer service. As one of the largest grocers in the country, we recognise how important it is to adapt and grow, meeting our customers wherever they are. The Okta Identity Engine provides us with a flexible solution to digital identity.