Directory Integrationwith OktaAn Architectural OverviewOkta Inc.301 Brannan StreetSan Francisco, CA [email protected]

White paperContents1User Directories and the Cloud: An Overview3 Okta Directory Integration for All Your Cloud Apps4 Simple and Secure Setup and Configuration5 Real Time Synchronization6 Just-in-Time User Provisioning6 Simple-to-Use Delegated Authentication7 Desktop Single Sign-On8 Self Service Password Reset Support8 Security Group–Driven Provisioning8 One-Click Deprovisioning9 Single Sign-On for Authenticated Apps10 Conclusion—Extend Active Directory to the Cloud with Okta10 Okta Active Directory Agent Details10 Okta IWA Web Application Details11 Okta LDAP Agent Details11 About Okta

White paperUser Directories and the Cloud:An OverviewFirewallInternetFor most companies, Microsoft Active Directory (AD) orLightweight Directory Access Protocol (LDAP) directories suchYour NetworkUser StoreUser Storeas SunOne or Oracle Internet Directory play the central roleLocal usersUser StoreUser Storein coordinating identity and access management policies. AD/LDAP typically serves as a “source of truth” for user identitiesUser Storeand provides access control to on-premises resources such asnetworks, file servers, and web applications (see Figure 1). WhenOn-premisesAppsAD or LDAPUser StoreUser StoreUser StoreUser Storeon-premises applications are integrated to Active Directory orLDAP, users get the best possible experience: they log in to theirdomain once and are granted access to the appropriate resources.Remote usersAdministrators benefit too—they maintain clear control overFigure 2: Adoption of cloud applications leads to proliferation ofwho has access to what. This model is ubiquitous because ituser storesworks well with LAN-based architectures (where applications areserved from hardware inside the firewall). But as we’ll show, thisapproach begins to break down as enterprises shift to cloud-basedapplications, and a new solution is needed.InternetFirewallOne solution to the problem of independent user storeproliferation is to attempt to integrate all cloud applications toa single, shared identity store (see Figure 3). Active Directory orLDAP user stores are by far the most convenient options for this,Your Networkas they can provide identity management for both on-premisesand cloud-based applications. Some cloud application vendorsprovide APIs or toolkits that allow enterprises to try to connect theLocal usersapplication’s standalone identity stores to AD or LDAP. However,integration via APIs requires custom development, and each of theAD or LDAPOn-premisesAppstoolkits is different and can often require significant investment insetup, equipment (hardware to run the connector software),andmaintenance as the applications change over time. As the numberof cloud applications increases, this model of per-app AD or LDAPintegrations becomes prohibitively expensive. There is always theRemote usersnext new application that the business needs to run.Figure 1: AD or LDAP for on-premises application user identitiesInternetA byproduct of the transition to cloud applications is theFirewallYour Networkproliferation of separate user stores; each cloud applicationLocal userstypically is rolled out independently and therefore has its ownunique database of user credentials (see Figure 2). This is a minornuisance with only one or two applications, but as companiesAD or LDAPadopt more and more cloud applications, administrators are facedOn-premisesAppswith an unmanageable number of different user directories. Andthis problem is only getting bigger. Users’ passwords proliferatewith each new application, and administrators quickly lose controlRemote usersover who has access to what. Worse still, when an employeeleaves, most companies cannot easily and accurately identify whichFigure 3: Integrating with multiple cloud applications is costlyaccounts to deactivate, nor do they have any auditing capabilitiesand difficult to maintainto ensure the necessary deprovisioning occurs in a timely manner.1

White paperOkta’s cloud-based identity and access management service solvesOkta eliminates the pitfalls that come with trying to build andthese problems with a single integration point that provides amanage multiple on-premises directory integrations yourself:highly available solution for all cloud and web-based applicationAD and LDAP integrations.Pitfall of DIY AD/LDAP integrationsOkta’s approachDo you have the correct skillset to develop these integrations?development experience a nd can be accomplished in minutesWith Okta, integrations do not require p rogramming orthrough o ur easy-to-use interface.Okta works with ISVs and monitors changes and upgrades toHow will you upgrade and maintain integrations?existing APIs to take advantage of the latest functionality; werelease updates weekly to reflect changes.Okta continuously monitors and tests existingHow do you monitor the health of the integration?integrations to ensure that the integration functions asexpected after upgrades and releases.Which protocol will you use to connectto each cloud application?Okta eliminates the need to know SAML, OAuth, S CIM, andnumerous other integration protocols, because Okta managesthese integrations for you.What happens when the server running yourOkta automatically enables failover recoveryhome-grown, toolkit-based integration fails?with a redundant-agent architecture.How will you integrate your cloud app with aOkta has built-in support for multiple ADmultiple domain AD or LDAP configuration?and/or LDAP domain environments.What firewall changes are needed for eachWith Okta, there are no firewall changescloud app-to-AD/LDAP integration?needed to support AD or LDAP integration.Once in place, Okta provides an infrastructure that allowsLDAP credentials; it enables IT admins to control access to thosecompanies to freely pursue new cloud applications while stillapplications from a single control panel; and it combines AD orleveraging internal directories for their employee user identities.LDAP security groups with individual user assignments.This allows users to access any cloud app using their existing AD or2

White paperOkta Directory Integration forAll Your Cloud AppsOkta offers a complete and easy-to-use directory integrationsolution for cloud and on-premises web applications. The Oktaon-demand Identity and Access Management service providesFirewallInternetYour NetworkAuthenticateProvisionDe-ProvisionOkta IWAWeb Appuser authentication, user provisioning and de-provisioning, anddetailed analytics and reporting of application usage, for bothOkta ADAgent(s)cloud applications and on-premises web applications. A keyActiveDirectoryOn-premisesAppscomponent of this service is Okta’s directory integration capability,Local userswhich is very easy to set up and is architected for high availability.In addition, Okta maintains the integrations for you, with thousandsof applications supported in Okta’s Application Network (OAN).Remote usersFor AD integration, Okta provides three lightweight and secure on-Figure 4: Okta for Active Directory architecture: One integrationpremises components:for all web applications Okta Active Directory Agent: A lightweight agent that canbe installed on any Windows Server and is used to connectto on-premises Active Directory for user provisioning, deprovisioning, and authentication requests. Okta Integrated Windows Authentication (IWA) WebOkta’s directory Integration offers the following: Simple and Secure Setup and Configuration Real-time provisioning Intelligent user synchronizationApplication: A lightweight web application that is installed Just-in-time user provisioningon an Internet Information Services (IIS) and is used Robust delegated authenticationto authenticate domain users via Integrated WindowsAuthentication. Okta Active Directory Password Sync Agent: A lightweight Integrated desktop single sign-on (SSO) (AD only) Self service password reset support (AD only)agent installed on your domain controllers that will Security group-driven provisioningautomatically synchronize AD password changes, send to Automated one-click deprovisioningOkta, and keep your user’s AD passwords in sync with the appsthey use. Single sign-on for directory authenticated appsFor LDAP integration, Okta provides a single lightweight and secureon-premises component: Okta LDAP Agent: A lightweight agent that can be installed onany Windows Server and is used to connect to on-premisesLDAP user stores for provisioning, de-provisioning, andauthentication requests.The Okta AD/LDAP Agents, the Okta IWA Web App and the Okta ADPassword Sync Agent combine with the Okta cloud service itselfto form a highly available, easy to set up and maintain architecturethat supports multiple use cases. This paper provides additionaldetails about this flexible architecture.3

White paperSimple and Secure Setup andConfigurationWith Okta, enabling directory integration is a simple wizard-drivenprocess. With one click from the Okta administrative console,you can download the Okta Active Directory or LDAP Agent andinstall it on any Windows Server that has access to your DomainController. The Okta Agents run on a separate server from yourdomain controller.Figure 5: The Active Directory installation process4

White paperReal Time SynchronizationDuring installation, you simply enter your Okta URL and ADCompanies do not need to worry about inconsistent profileAdministrator credentials and the Okta AD Agent creates a low-information between their user store and Okta that may occur withprivileged, read-only integration account and then securelyschedule imports. With real-time synchronization, Okta seamlesslyestablishes a connection with your Okta instance—no network orupdates profiles on every login. So whether you change individualfirewall configuration required.profile information or larger group information, your users will beThe Okta AD Agent connects to Okta’s cloud service using anoutbound port 443 SSL connection. This connection is cycledevery 30 seconds to ensure compatibility with any existing firewallsfully updated throughout the day in Okta.The process to enable real time synchronization is:1. Download and install the appropriate Agent.or other security devices. As a rule of thumb, if a user can log intothe host machine using AD credentials and can access the Internetfrom a browser, the Okta AD Agent will work successfully and willrequire no firewall changes.2. Import OUs and Groups (without the member attributes).3. Configure OU selection and username preference. Note: Theschedule import pull down menu will be set to Never.4. Delegated Authentication, and Just in Time Provisioning (JIT)are turned on by default.5. Users can immediately JIT in without any previous import andAD / LDAPDirectoryOkta Agentbecome Okta users.6. On every delegated authentication or JIT request, GroupPort 443Port 636memberships are imported in addition to the full User profile.7. Users are fully updated on every login and asynchronously.Admins can change OUs, user profile and group information inActive Directory and users will be fully updated.Local usersFigure 6: Okta Agent connections are Port 443 for AD (SSLEncrypted) and over Port 636 for LDAP. No firewall changes areneeded for either the AD or LDAP Agents.Communication with the Okta AD/LDAP Agents is secured usingSSL and mutual authentication, specifically: Okta AD/LDAP Agents to Okta Service: The Agentauthenticates the service by validating the Okta server SSL certfor The service authenticates the Agentusing a security token given to the Agent on registration. Theregistration process requires Okta administrator credentialsbefore generating the security token. The security token isspecific to each Agent and can be revoked at any time. Okta Agent to the Domain Controller or LDAP server: TheAgent authenticates with the Domain Controller using thelow-privileged, read-only integration account that was createdduring the agent install process.5

White paperJust-in-Time User ProvisioningSimple-to-Use DelegatedAuthenticationUser provisioning is very simple and fast with Okta’s just-in-timeOkta’s directory integration support also allows you to delegateprovisioning. With just-in-time provisioning, IT admins can allowthe authentication of users into Okta to your on-premises AD ornew users to be automatically created in Okta provided theyLDAP Domain instead. That is, user login attempts to mycompany.already exist in Active Directory or in an LDAP user will be checked against Active Directory or LDAP forIT Admins are not required to run an initial import before activatingusers, saving time during configuration. Users will be able toimmediately sign into Okta by going to their login page and signingin with their directory (AD or LDAP) credentials. Administrators willbe able to see the full user profile, groups, and group membershipsdisplay in the People tab.The process for just-in-time provisioning is:1. A user who previously was not provisioned in the Okta serviceattempts to log in to Okta and the Okta Agent check the user credentials againstActive Directory or LDAP.3. If the user is active in AD/LDAP, a new user account isautomatically created in Okta. The new user accountleverages their existing AD credentials.4. Depending on their directory security group attributes, theuser is automatically provisioned to downstream cloud andweb applications via the Okta service.Just-in-time provisioning allows IT admins to increase userauthentication. Users can then easily log into Okta using their Oktauser name and directory password.More specifically, the process is:1. The user types his user name and password into the Okta userhome page. This login page is protected with SSLand a security image to prevent phishing; multi-factorauthentication (extra security question or smartphone softtoken) can be enabled as well.2. The user name and password are transmitted to an OktaDirectory Agent running behind the firewall over the SSLconnection that had been previously established during setup.3. The Okta Directory Agent passes those credentials to the ADor LDAP Domain Controller for authentication.4. The Domain Controller responds with a yes/no answer,validating the user name and password.5. The yes/no response is transmitted back to the Okta service bythe Okta Directory Agent. If yes, the user is authenticated andsent to his Okta My Applications user home page.adoption of both the Okta service and of all assigned cloudapplications, while leveraging the AD or LDAP credentials that theirusers already know.InternetFirewallYour NetworkOkta IWAWeb AppOkta ADAgent(s)ActiveDirectoryLocal usersRemote usersFigure 7: Delegated authentication to Active Directory6

White paperDesktop Single Sign-OnThe user experience for Delegated Authentication to AD /LDAP isOkta supports Desktop Single Sign-On, extending local users’simple:Windows domain login procedures to grant access to Okta and1. Log in to Okta home page; launch appto their cloud applications. Okta’s AD integration uses Microsoft’sIntegrated Windows Authentication to seamlessly authenticate2. Okta looks to a directory to authenticate users3. If valid, Okta SSOs in to cloud appsBecause this feature governs user access into Okta, the architecturesupports multiple Okta AD and/or LDAP Agents running in yourenvironment to provide redundancy. If one of the Okta AD orusers to Okta that are already authenticated via their Windowsdomain login. You simply download and install Okta’s IWA webapplication, configure the relevant IP ranges, and the setup iscomplete.InternetFirewallYour NetworkLDAP Agents stops running or loses network connectivity, theOkta IWAWeb Appauthentication requests are automatically routed to the other OktaAD or LDAP Agents.With this authentication mechanism, the user’s password is neverOkta ADAgent(s)stored in the Okta service and your directory is maintained as theActiveDirectoryimmediate and ultimate source for credential validation. BecauseAD or LDAP is always relied upon for user authentication, changesLocal usersto the user’s status (such as password changes or deactivations) arereflected immediately in the Okta service.Remote usersFigure 8: Desktop SSO with Okta IWA web applicationThe behind-the-scenes steps that enable seamless login to theOkta service via Desktop Single Sign-On (shown in Figure 9) are:1. User navigates to The user is redirected to the locally installed IWA webapplication.3. The IWA web application transparently authenticates the uservia Integrated Windows Authentication (Kerberos).4. The user is redirected back to the Okta login page withcryptographically signed assertions containing his AD useridentity.5. The Okta service validates the signed assertions and sends theuser directly to his Okta home page.7

White paperNote that all of the above steps are transparent to the user. Theapplications are handled automatically. This greatly reduces theuser experience is simple: navigate to https://mycompany.okta.comprovisioning time for new employees, and allows IT admins toand then land immediately on the user home page containing linkscontinue to use AD or LDAP as their starting point for user all of his assigned applications. Alternatively, a user can simplyclick a link corresponding to a particular application and then beautomatically signed in to that application. The authentication toAD behind the scenes is transparent to the user.When a user’s Security Group membership changes, the changeis detected by the Okta Directory Agent and is relayed to the OktaService. When this happens, the assignment rules are recomputed.These rules trigger applications to be newly assigned, existingLastly, remote users or users out of the office continue to find andapplication assignments to be removed, or user properties to beSSO into all of their cloud applications by simply visiting the Oktaupdated on the downstream applications.user home page.New and updated application assignments work exactly the same.All of the steps to provision the account, set up SSO, and updateSelf Service Password ResetSupportthe user’s My Applications home page are handled automatically.Deletions are handled similarly. If a user’s access to an app isremoved, he is immediately locked out from using SSO to accessthat application. The application account is then deactivatedby the Okta service, or if that cannot be done automatically,Your users can also change their Active Directory password viaOkta. When a user’s AD password expires or is reset they willautomatically be prompted to change it the next time they log in toOkta. Users can also proactively change their AD password directlyan administrative task is created that must be cleared once theaccount has been deactivated manually. All of these actionscan execute automatically or after confirmation by an Oktaadministrator.from the account tab on their Okta homepage, and Okta keeps allof these credentials synchronized with AD.One-Click DeprovisioningSecurity Group–DrivenProvisioningUser deactivation is typically triggered from a standard corporateidentity store such as Active Directory or LDAP. With Okta’scentralized deprovisioning, deactivating a user in your userOkta’s service has a group feature that can be used to drive bulkapplication provisioning and assignments to Okta users accordingto what groups they are members of. Okta allows you to mapActive Directory or LDAP’s security groups to native Okta groupsand, as a result, to automatically provision applications to usersbased on their membership within AD or LDAP security immediately initiates a deprovisioning workflow to ensuremaximum effectiveness in preventing unauthorized access to Oktaand other cloud applications. The workflow generates a notificationto administrators and guides IT to complete any necessarymanual deprovisioning tasks associated with a particular user orapplication. Further, this workflow also serves as an audit trail;within Okta the entire audit trail is captured for reporting and auditWhen you add a user to your directory, you can place him in asecurity group, and during automatic synchronization with Okta,purposes so that you can easily generate historical deprovisioningreports by user or by application.that user will be added, and accounts in the applications mappedto that security group will be automatically provisioned on theirbehalf. Application-specific parameters such as role, profile, anduser information are automatically set based on rules definedwithin the Okta service as well. For example, a rule can be definedwithin Okta that ensures that all members of the AD/LDAP securitygroup “Sales” are provisioned an account in andgiven access to it.The result is that when a user is added to your directory, all ofthe tasks required to give him access to his cloud and web-based8

White paperSingle Sign-On forAuthenticated AppsMost enterprises have on-premises web applications that canOkta can leverage its Secure Web Authentication protocol toeasily be integrated into Okta’s SSO solution. Many companiesautomatically log users into these internal web applications. Whenalso have web applications that use Directory credentials foran internal web application is configured to delegate authenticationauthentication. These applications are not using Integratedto appropriate directory (the same source to which Okta delegatesWindows Authentication, but instead require the user to enter theirauthentication), Okta captures the user’s AD/LDAP password atAD or LDAP credentials when they sign in. When Okta is configuredlogin and automatically sets that password for that user in anyto delegate authentication to Active Directory, signing in to theseapplications that also delegate to AD or LDAP. This allows users tointernal web applications can also be automated.simply click a link to access these applications, and then be loggedThe behind-the-scenes steps that enable SSO for Directoryauthenticated internal web applications (shown in Figure 10) are:1. Okta is configured to delegate authentication to AD/ automatically.Note that Okta synchronizes the AD password securely; if thepassword subsequently changes in AD, this event is captured onlogin to Okta and immediately updated in the secure password2. Customer has on-premises apps authenticating to AD/LDAP.3. User logs into Okta with AD/LDAP credentials.4. User accesses App 1 and App 2 with SWA using AD/LDAPstore for that application, ensuring that the next login attempt willbe successful.FirewallInternetYour Networkcredentials.5. App 1 and App 2 authenticate user against AD/LDAP.Okta ADAgent(s)14http:///portal.mycompany.comLDAP2App 1App 253MyCo PortalaccountsupportshippinguserIDPasswordFigure 9: Okta enables SSO for LDAP authenticated internal webapplications9

White paperConclusion—Extend YourDirectory to the Cloud with OktaOkta Active DirectoryAgent DetailsCompanies continue to shift their focus from legacy on-premisesThe Okta AD Agent is designed to scale easily and transparently. Forapplications to newer cloud based services. The newer cloudredundancy a cluster can be created by installing Okta AD Agentsservices offer enormous benefits, both in expanded capabilitieson multiple Windows Servers; the Okta service registers each Oktaand in lower overall cost. The question today is not if you canAD Agent and then distributes authentication and usermake this transition, but rather how fast can you do it. One of thebiggest obstacles in this path is managing user identities in a waythat is consistent with users’ and administrators’ experience andexpectations. Linking Active Directory or LDAP to cloud servicessolves this problem, and Okta’s cloud-based identity managementmanagement commands across them automatically. If any agentloses connectivity or fails to respond to commands, it is removedfrom rotation and the administrator is notified via email. In parallel,the Okta AD Agent will attempt to reconnect to the service using anexponential back-off capped at 1-minute intervalssolution makes it possible. Okta provides a flexible, highlyredundant, and scalable solution for managing cloud identities,and it does so in a service that is easy to set up and is virtuallymaintenance-free. Let Okta extend your Directory usage to all ofyour cloud applications—both the apps you use today and the onesyou’ll need in the future.System Requirements for Okta AD AgentThe following are minimum system requirements to support theOkta AD Agent: Windows Server 2003 R2 or later 20 MB of memory for service AD Service Account created upon Okta AD Agent installationHere are suggested system requirements: 256 MB of memory for service Dedicated AD Service Account with Domain Users permissions Separate server from Domain Controller (can be shared)Okta IWA Web ApplicationDetailsOkta IWA is a lightweight IIS web app that enables desktop SSOwith the Okta service. The Okta IWA web application installs onWindows Server 2008 in Web Server Role. The installer configuresIIS and all Windows components.System Requirements for Okta IWA WebApplicationThe following are system requirements necessary to support theOkta IWA web application: Windows Server 2008 in Web Server Role 50 MB of memory10

White paperOkta LDAP Agent DetailsAbout OktaThe Okta LDAP Agent is designed to scale easily and transparently.Okta is the foundation for secure connections between peopleFor redundancy a cluster can be created by installing Okta LDAPand technology. By harnessing the power of the cloud, OktaAgents on multiple Windows Servers; the Okta service registersallows people to access applications on any device at any time,each Okta LDAP Agent and then distributes authentication and userwhile still enforcing strong security policies. It integrates directlymanagement commands across them automatically. If any agentwith an organization’s existing directories and identity systems, asloses connectivity or fails to respond to commands, it is removedwell as 4,000 applications. Because Okta runs on an integratedfrom rotation and the administrator is notified via email. In parallel,platform, organizations can implement the service quickly at largethe Okta LDAP Agent will attempt to reconnect to the service usingscale and low total cost. More than 2,500 customers, includingan exponential back-off capped at 1-minute intervals.Adobe, Allergan, Chiquita, LinkedIn, MGM Resorts International andWestern Union, trust Okta to help their organizations work faster,System Requirements for Okta LDAP Agentboost revenue and stay secure.The following are minimum system requirements to support theFor more information, visit us at or follow us onOkta LDAP Windows Server 2003 R2 or later 20 MB of memory for service LDAP Service Account created upon Okta LDAP AgentinstallationHere are suggested system requirements: 256 MB of memory for service Dedicated Service Account with Domain Users permissions Separate server from Domain Controller (can be shared)The Okta LDAP agent supports many of the popular LDAP vendorsincluding the following: SunOne LDAP 5.2 , 6.*, 7.* Oracle Internet Directory OpenLDAP OpenDJ11

The Okta AD/LDAP Agents, the Okta IWA Web App and the Okta AD Password Sync Agent combine with the Okta cloud service itself to form a highly available, easy to set up and maintain architecture that supports multiple use cases. This paper provides additional details about this flexible architecture. Remote users Active Directory Okta IWA Web .