Tag: Okta Advanced Server Access

Self Service Access Request for AD Joined Servers

Posted on by Akshit Konaperthi in Okta
  • Usecase Overview
  • Solution
  • Prerequisites
  • Theoretical Demonstration
  • Technical Demonstration
  • Benefits
  • Reference Links

Usecase Overview

An organization needs to secure access for their servers by ensuring that users can request access only based on their specific roles or departments. All access requests must go through a formal approval process to validate the appropriate permissions granted. Users should be granted access exclusively to the actions permitted by their assigned roles. Additionally, to enhance security, the organization requires regular password rotation for all server accounts. The system must also record all user sessions and securely store these logs on the gateway for monitoring and auditing purposes. The challenge is to implement a security framework that enforces these controls effectively to maintain strong security and tight control over server access.

Solution

By leveraging Okta, we can implement the above Usecase. For Access request we are going to utilize Okta Access request capability, with this we can control the approval levels and also segregate the request types based on the department or role and for the Servers we can utilize the Okta Advanced Server Access feature for access to AD Joined Servers and also it stores the user activity with the help of Session recording feature. For managing AD server accounts password rotation, we can utilize the Okta Privileged Access feature. By combining all the Okta products, we can build a robust and secure access management solution for your sensitive resources.

Prerequisites

  • A running instance of On Prem Active Directory.
  • A running instance of Linux Gateway for session recording.
  • A domain joined windows server which acts a target resource.
  • Super admin privileges to access Okta Tenant.
  • Admin access to Okta Privileged Access, Okta Advanced Server Access & Okta Access Request.
  • Required access to Okta Workflows Application
  • Feature – Manage Active Directory Accounts for Okta PA must be enabled. For more details contact to the Okta Support team.
  • Feature – Delegated workflow for Access Request must be enabled.

Theoretical Demonstration

Please watch the video to understand why we are configuring SSR on AD-joined servers with password rotation using Okta.

Technical Demonstration

Watch a demonstration on effortlessly handling identities in Okta and setting up access requests for AD Joined Servers and accounts, along with password rotation and session recording features to improve efficiency, security, and auditing. 

Benefits

  • Automated access grants and revocations which enables quick and error-free granting and revoking of AD server account access.
  • Okta PA automatically changes or rotates AD account passwords, keeping them safe and reducing hacking risks.
  • All access and actions are recorded, making it easy to audit and meet compliance.
  • Strong authentication and session recording prevent misuse and assists in investigating issues.
  • Everything is automated, so IT spends less time on manual work and users get access faster.

Reference Links

Okta Advanced Server Access

Managing AD Accounts using Okta Privileged Access

Okta Access Requests

Okta Workflows

Simplifying Server Access with Okta Advanced Server Access

Posted on by Akshit Konaperthi in Okta
  • Introduction
  • Prerequisites
  • Usecase Overview
  • Technical Demonstration
  • Conclusion
  • Reference Links

Introduction:

Many organizations face difficulties in securely managing access to their servers. This often results in compromised static credentials, delay in accessing the servers and increase in security risks. Okta’s approach to address this problem is unique, comes with Advanced Server Access (ASA) to provide simple & secure way to access the servers through ephemeral certificates. These certificates are short-lived & tightly scoped which ensures strong security for the connection. And also, JIT Passwordless authentication for server access which will create & revoke access for the user through time-bound constraints. It streamlines the login process and enhances security, ensuring that only the right people can access right resources.

To get started, we need to create and configure an ASA team, which is a designated group of users that can authenticate with Okta. Each team acts as an Advanced Server Access tenant, with all configurations and resources scoped to that team. 

Prerequisites:

  • An Okta Org account with the necessary permissions to configure applications and integrations.
  • Supported OS for ASA Server Agent – Linux & Windows
  • Supported OS for ASA Client Agent – Linux, Windows & MacOS
  • Administrative permission to install ASA Server Agent & Client Agent on servers & end devices.
  • For Network settings, please refer to Okta Docs.

Usecase Overview:

Please refer to the below video to have an understanding about Okta Advanced Server Access & the usecase around integrating servers with Okta ASA.

Technical Demonstration:

Here’s the technical demonstration on the integration of Windows and Linux servers with Okta ASA. We will cover the process of creating an ASA team in ScaleFT, followed by integrating and configuring the ASA application in Okta. Next, we will explain how to enroll servers and clients, and finally, we will test the process by accessing the server from client machines to showcase a seamless user experience.

Conclusion:

On a closure note, with all the steps carried out in this blog it is fair enough to say integrating Servers with Okta Advanced Server Access not only enhances security through ephemeral credentials but also simplifies management processes while ensuring compliance. Its scalable architecture supports modern cloud environments, making it a comprehensive solution for organizations looking to secure their server access effectively.

Reference Links:

Okta Advanced Server Access Guide