Author: Akshit Konaperthi

Self Service Access Request for AD Joined Servers

Posted on by Akshit Konaperthi in Okta
  • Usecase Overview
  • Solution
  • Prerequisites
  • Theoretical Demonstration
  • Technical Demonstration
  • Benefits
  • Reference Links

Usecase Overview

An organization needs to secure access for their servers by ensuring that users can request access only based on their specific roles or departments. All access requests must go through a formal approval process to validate the appropriate permissions granted. Users should be granted access exclusively to the actions permitted by their assigned roles. Additionally, to enhance security, the organization requires regular password rotation for all server accounts. The system must also record all user sessions and securely store these logs on the gateway for monitoring and auditing purposes. The challenge is to implement a security framework that enforces these controls effectively to maintain strong security and tight control over server access.

Solution

By leveraging Okta, we can implement the above Usecase. For Access request we are going to utilize Okta Access request capability, with this we can control the approval levels and also segregate the request types based on the department or role and for the Servers we can utilize the Okta Advanced Server Access feature for access to AD Joined Servers and also it stores the user activity with the help of Session recording feature. For managing AD server accounts password rotation, we can utilize the Okta Privileged Access feature. By combining all the Okta products, we can build a robust and secure access management solution for your sensitive resources.

Prerequisites

  • A running instance of On Prem Active Directory.
  • A running instance of Linux Gateway for session recording.
  • A domain joined windows server which acts a target resource.
  • Super admin privileges to access Okta Tenant.
  • Admin access to Okta Privileged Access, Okta Advanced Server Access & Okta Access Request.
  • Required access to Okta Workflows Application
  • Feature – Manage Active Directory Accounts for Okta PA must be enabled. For more details contact to the Okta Support team.
  • Feature – Delegated workflow for Access Request must be enabled.

Theoretical Demonstration

Please watch the video to understand why we are configuring SSR on AD-joined servers with password rotation using Okta.

Technical Demonstration

Watch a demonstration on effortlessly handling identities in Okta and setting up access requests for AD Joined Servers and accounts, along with password rotation and session recording features to improve efficiency, security, and auditing. 

Benefits

  • Automated access grants and revocations which enables quick and error-free granting and revoking of AD server account access.
  • Okta PA automatically changes or rotates AD account passwords, keeping them safe and reducing hacking risks.
  • All access and actions are recorded, making it easy to audit and meet compliance.
  • Strong authentication and session recording prevent misuse and assists in investigating issues.
  • Everything is automated, so IT spends less time on manual work and users get access faster.

Reference Links

Okta Advanced Server Access

Managing AD Accounts using Okta Privileged Access

Okta Access Requests

Okta Workflows

Integrating SailPoint IIQ with Okta

Posted on by Akshit Konaperthi in Okta
  • Introduction
  • Prerequisites
  • Usecase Overview
  • Technical Demonstration
  • Conclusion
  • Reference Links

Introduction

In today’s digital landscape, many organizations face significant challenges in securely managing access to their sensitive data. These unchecked identity challenges often result in vulnerabilities, data breaches, and difficulties in ensuring that only the right individuals have the appropriate access. This solution offers a robust answer to these issues by simplifying and strengthening access control with a governance view. By integrating Okta with product like SailPoint IdentityIQ (IIQ), organizations can strengthen their identity governance and automate the provisioning and de-provisioning processes. This integration ensures that users are granted access solely to the resources they need, thereby minimizing security risks and ensuring compliance.

To get started, organizations need to configure SSO and Okta connectors within Sailpoint IIQ, which link their systems and data sources to enable seamless and secure access management across the enterprise.

Prerequisites

Usecase Overview

Please watch the video to understand why we are integrating SailPoint IIQ with Okta and the specific use case for this integration.

Technical Demonstration

In this video, we’ll show you how to integrate SailPoint IIQ with Okta. We’ll cover setting up SSO, configuring the Okta Connector, and mapping Okta attributes to SailPoint. We’ll also demonstrate how admins manage access reviews and how users can access SailPoint IIQ from Okta.

Conclusion

On a closure note, with all the steps carried out in this use case, it is fair enough to say that we have successfully integrated SailPoint IIQ with Okta, which enhances access management by governing the right identities have access to the right resources. Along with that achieving identity lifecycle management by ensuring synchronized access and governance policies are harmonized between the products. This integration reduces manual processes, increases compliance, and streamlines access control across the organization. Regular monitoring and fine-tuning of policies ensure the integration remains effective as the organizational needs evolve.

Reference Links

Integrating SailPoint IIQ with Okta

Best_Practices_Integration_Guide

Simplifying Server Access with Okta Advanced Server Access

Posted on by Akshit Konaperthi in Okta
  • Introduction
  • Prerequisites
  • Usecase Overview
  • Technical Demonstration
  • Conclusion
  • Reference Links

Introduction:

Many organizations face difficulties in securely managing access to their servers. This often results in compromised static credentials, delay in accessing the servers and increase in security risks. Okta’s approach to address this problem is unique, comes with Advanced Server Access (ASA) to provide simple & secure way to access the servers through ephemeral certificates. These certificates are short-lived & tightly scoped which ensures strong security for the connection. And also, JIT Passwordless authentication for server access which will create & revoke access for the user through time-bound constraints. It streamlines the login process and enhances security, ensuring that only the right people can access right resources.

To get started, we need to create and configure an ASA team, which is a designated group of users that can authenticate with Okta. Each team acts as an Advanced Server Access tenant, with all configurations and resources scoped to that team. 

Prerequisites:

  • An Okta Org account with the necessary permissions to configure applications and integrations.
  • Supported OS for ASA Server Agent – Linux & Windows
  • Supported OS for ASA Client Agent – Linux, Windows & MacOS
  • Administrative permission to install ASA Server Agent & Client Agent on servers & end devices.
  • For Network settings, please refer to Okta Docs.

Usecase Overview:

Please refer to the below video to have an understanding about Okta Advanced Server Access & the usecase around integrating servers with Okta ASA.

Technical Demonstration:

Here’s the technical demonstration on the integration of Windows and Linux servers with Okta ASA. We will cover the process of creating an ASA team in ScaleFT, followed by integrating and configuring the ASA application in Okta. Next, we will explain how to enroll servers and clients, and finally, we will test the process by accessing the server from client machines to showcase a seamless user experience.

Conclusion:

On a closure note, with all the steps carried out in this blog it is fair enough to say integrating Servers with Okta Advanced Server Access not only enhances security through ephemeral credentials but also simplifies management processes while ensuring compliance. Its scalable architecture supports modern cloud environments, making it a comprehensive solution for organizations looking to secure their server access effectively.

Reference Links:

Okta Advanced Server Access Guide