Alex Taylor Internet enthusiast


Okta -Day 6 – Managing Single Sign-On (SSO)


Okta Basics Curriculum: Managed Application Single Sign-On (SSO)

Today we start digging into Okta’s capabilities – we’re going to walk through setting up integrations to allow users access to applications using single sign-on.

Okta offers three different ways to set up SSO authentication:

  1. Secure Web Authentication (SWA) – Okta uses a browser plugin to securely pass credentials into a web form on behalf of the authenticated user
  2. Security Assertion Markup Language (SAML) – XML-based standard for exchanging authentication and authorization data – SAML allows Okta to create a secure connection to an application or service provider and essentially builds a bridge of trust between the auth provider and the service provider (this is commonly used for SSO whether you’re using Okta or another identity tool)
  3. WS-Federation – Commonly used with Microsoft applications and works the same general way as SAML does

SAML is a BIG topic that deserves more research if you’re interested – Duo has a fun blog post here that covers the essentials that you need to know.

Today we get to dive into the Okta Integration Network (OIN) and start choosing some applications that we want to integrate into our Okta environment. You can find this in your dashboard via Applications on the sidebar and then clicking ‘Add Application’.

As you’ll see, each application has details under the logo about what integration options are available, and you can dig into each app to see more information about the integration capabilities offered.

You’ll also see integration properties in the OIN which gives you information about who built out the integration – some are Okta-built, some are community-built.

So how do we configure an application using SAML? So glad you asked.

Select the app you want to configure for SSO, and then hit the blue Add button to kick the process off. Depending on the application, you’ll be presented with a list of general settings and options to fill out before you can finalize the integration.

Some applications will offer different options for setting up the integration – Salesforce as an example offers SWA and SAML and Okta admins can decide which works best for their organization.

Its important to follow the service provider setup instructions that are linked – every app is going to have a different process for setting up SAML and you’ll want to make sure that everything is copy-pasted correctly for the integration to work.

How do we configure an application using SWA?

SWA applications are typically used to connect applications such as LinkedIn or Facebook. The beginning of the process works the same way – search for the application or website in the OIN and follow the steps. If you’re using different accounts for different teams, remember to add a clear application label so you can tell them apart (Marketing vs Sales etc).

SWA integrations need the Okta browser plugin to be installed on the users’ computer – that linked page has a lot of information about installation, security, and use cases for the plugin.

Some of these applications will allow you to set a shared username and password – this is useful for shared access to a corporate social media account or things like that.

Some applications will also provide the option to set account mapping – Here’s what the Facebook setup looks like:

Once the integration is set up and configured, you can assign these SWA integrated apps to certain users or groups, and they will see them in their Okta profile once they log in.

Okta – Day 5 – Integrating Okta with LDAP-Mastered Users


Okta Basics Curriculum: Integrate Okta with LDAP-Mastered Users

Continuation here from the previous day – instead of AD, we’re going to learn how to integrate users from LDAP.

What is LDAP?

The Lightweight Directory Access Protocol is a vendor-neutral application protocol used to maintain distributed directory info in an organized manner. LDAP stores this data by way of records which contain a set of attributes. Each entry has a unique identifier (a ‘Distinguished Name’ most often seen as ‘DN’).

As with AD, LDAP-Mastered users are authenticated against the external directory, so they log into Okta using the credentials they use for LDAP. Generally, these users cannot change their password within Okta, but Okta Super Admins do have the power to enable this if needed.

Okta has an LDAP integration guide here for further review. We’ll go through most of these steps below. Also worth reviewing is the LDAP integration prerequisites page.

Okta offers an LDAP agent for Windows or Linux and the agent needs to be installed on a server that is on at all times – Okta needs to be able to access this agent regularly. One difference from the AD agent is that Just-in-Time provisioning is automatically enabled with the LDAP agent, which means that users will automatically be activated and updated when they log into Okta.

The LDAP Agent can be downloaded from the dashboard via Directory > Directory Integrations and the install wizard does most of the work.

Ensure that you log in with Super Admin credentials during the permissions pop-up.

Step 2 of the LDAP integration is configuration of the directory mappings. You’ll have the opportunity to select an LDAP version template – this will populate the appropriate fields and you’ll have the opportunity to choose the Okta username format you prefer.

Okta provides a ‘test configuration’ button – you’re looking for a Green box with ‘Validation Successful’ – if that shows up, you’re good to move forward.

That’s all you need on the integration side of things – Your users are free to start activating their accounts by logging into Okta with their LDAP credentials.

Okta – Day 4 – Integrating Okta with Active Directory-Mastered Users


Okta Basics Curriculum: Integrate Okta with Active Directory-Mastered Users

For folks brand new to identity, some background research will be needed at this point – you’re going to need to understand the basics of Active Directory and how it works.

Active Directory is a Microsoft directory service that manages computers and other devices operating in a network. Users accessing a similar database may be grouped into a single domain. A group of domains is referred to as a tree, while a group of trees is called a forest.

Active Directory is a huge hulking beast of a topic and there’s plenty that I don’t even know about it – I’ll eventually write a separate series about AD as I level up my skills on that side of things, For now, just know that Active Directory is a directory service, and we’re going to import users from AD into Okta.

The key difference between directory-mastered users and Okta-mastered users is that directory-mastered users will authenticate against the external directory’s password policy, which is maintained by the directory administrator. Generally, these users can’t use Okta to change their directory password, although Okta super admins do have some power to make that change.

Okta manages the Active Directory integration with an agent that you’ll need to download and install on a Windows Server. The agent wizard does most of the work – you’ll provide all the information needed about your Okta service account and the agent will build the API.

Once the agent installation and setup is complete, you’ll be prompted to select which Organizational Units you want to import into Okta, and then you’ll be prompted to select which attributes from AD you want to include in your Okta User Profiles.

Once all of the above is complete, the integration process is essentially done – from here, you can begin importing users from Active Directory and building out their identity profiles in Okta. Manual confirmation and activation is an option, but you also have a few options – you can implement Just in Time provisioning, which creates and activates Directory-Mastered accounts as the person logs into Okta, or you can set up scheduled imports.

That wraps up things up for today – tomorrow we’ll learn about importing LDAP-Mastered users.

Okta – Day 3 – Managing Okta-Mastered Users


Okta Basics Curriculum: Manage Okta-Mastered Users

There are 3 types of people or user accounts that can exist within Okta:

  • Okta-Mastered people
  • Directory-Mastered people
  • and Application-Mastered people

The lesson today is about Okta-Mastered people – people who are created directly within Okta (not imported from a different tool or database).

You can add new people manually from the Dashboard via Directory > People

There are 4 attributes that are associated with an Okta-Mastered person’s account which are required: first name, last name, username, and email address.

More information in the Okta Help Center here if you’re looking for additional documentation about user creation.

There’s also a guide here about user account states to help you understand what each state means (Active/Locked Out/Suspended etc).

You can also create Okta-Mastered users with a CSV import – Okta offers a template that you download and fill in and then re-upload – you can’t add custom attributes to the base template, but you can add these fields via the user profile once they exist in the Dashboard.

Last step for this lesson is learning how to add admin rights and roles to users – from Security > Administrators, click Add Administrator and Okta gives you a pop-up with options for admin roles you can assign to your user.

The training course also includes a spreadsheet with full information about each of the admin roles and what permissions each of them have – recommended download to get insights into which role each admin actually needs.

Good start to the training. Tomorrow we’ll learn more about importing users from Active Directory.

Okta – Day 2 – Introduction to Workforce Identity


Okta Basics Curriculum: Introduction to Workforce Identity

Today’s course is a good overview of why IT teams need tools like Okta – it covers a number of different scenarios including new hires and role changes that require access and permissions changes. Nothing much to comment on for this one, but a recommended watch if you’re new to Okta.

Today we’re going to sign up for an Okta developer account which will allow us access to an Okta dashboard and give us some practice using the tool. You can create a free account here and its a simple process to sign up.

Once you’re signed up and logged in, your Dashboard will look something like this:

Nothing else needed for today – we’ll start digging into adding users tomorrow.

Okta – Day 1 – Introduction to Identity & Access Management with Okta


Accessibility note: While I am impressed with Okta in general, please be warned that the Okta Basics training seems to have zero accessibility features – the videos do not offer closed captioning and there are no transcripts available anywhere that I can find. I am disappointed that in 2021 a company as large as Okta hasn’t made their training more accessible. Here’s hoping they figure it out soon and improve the training platform.

Day one of the Okta Basics training takes us through the basics of how Okta works, and how identity and access management works – its a quick 20 minutes that covers single sign-on, directories, federated identities, and lifecycle management, plus a few other things. We’re also introduced to the Okta Integration Network, which I’ll touch on later in this post, as I think this is really Okta’s biggest selling feature.

First, some very basic IAM definitions that you’ll need to understand:

Single sign-on – An authentication method that allows a user to authenticate once and then access a number of different tools and services without needing to log into each individually

Directories – A group of objects (computers, users, etc) that share the same database – Active Directory and LDAP are the two most prevalent examples

Federated identity – A user’s single authentication ticket or token is trusted across multiple IT systems or organizations

Lifecycle Management – Management of the creation of a user account, processing changes to the account, and the eventual offboarding or decommissioning of the account

Multi-Factor Authentication – Use of more than one type of authentication to access a user account – the three primary factors are something you have, something you know, and something you are.

As mentioned earlier, day one of the training introduces us to Okta’s bread and butter – the Okta Integration Network – Okta has exploded in popularity in the last couple of years primarily due to the amount of integrations they’ve developed that allow organizations to connect the tools and services they use with Okta.

Their quick overview of the OIN is available here, and the full list of integrations is available at – as of March 2021 they’re up to over 7000 different integrations. They have a whitepaper that goes into further detail about how application integration works – good read, and we’ll also learn more about this as we go through the Basics course.

That’s it for day one – tomorrow I’ll dig into workforce identity.

New Series: Okta


The identity and access management industry is growing daily as companies realize that they need to focus more time and energy on protecting their data and controlling access. Plenty of tools have arrived to help fill in the gaps and help make things easier for administrators to manage.

For the next couple of weeks, I’m going to do a deep dive into one of those options – Okta.

Okta was founded in 2009, hit unicorn status ($1+ billion valuation) in 2015, and IPO’d in 2017. They’ve grown even further since then and have become one of the primary identity management tools, supporting companies from the startup level up to Fortune 500 corporations. They announced this month that they were acquiring Auth0, a quasi-competitor with a focus on authentication and authorization.

I had the opportunity earlier this month to work through Okta’s entry-level training curriculum, and have also spent some time digging into the Okta administrator dashboard. I’ve started this new series of posts to track my own training and also provide some outside references to IAM essentials to help fill in the gaps for other learners. I have no affiliation with Okta. Just trying to level up my own skills.

The plan is to loosely follow the Okta Basics curriculum – one post per day with things I’ve learned, as well as external links. I’ve completed the Basics course once before and definitely found it useful – I recommend signing up if you’re using Okta in your organization.


Day 1 – Introduction to Identity & Access Management with Okta
Day 2 – Introduction to Workforce Identity
Day 3 – Managing Okta-Mastered Users
Day 4 – Managing AD-Mastered Users
Day 5 – Managing LDAP-Mastered Users
Day 6 – Managing Single Sign-On
Day 7 – Automating Lifecycle Management
Day 8 – Workflows and Automating Tasks
Day 9 – Multifactor Authentication
Day 10 – Managing API Access
Day 11 – Advanced Server Access
Day 12 – Configuring O365 with Okta
Day 13 – Okta’s Access Gateway
Day 14 – Configuring Universal Directory and User Profiles
Day 15 – End User Support & The Okta Help Center
Final training certification

Alex Taylor Internet enthusiast

Privacy advocate
Process developer
Product manager

Experience in information security, customer success, compliance and privacy, risk management, identity and access, and service deployment. Former teacher. Always learning.

We should hang out.