I would like to share my studying document notes to learn Okta. I hope my notes are useful to all of you:
- First you need to understand the basic of IAM. IAM is Identity and Access Management. Ensuring that the right person gets access to the right services requires designing and implementing sign-in flows and access management. This usually involves integrating complex functionality into many areas of your applications. The solution impacts your end users and customers, your employees, and how easy it is to adapt to changing security needs. Even small issues with the design or implementation can cause reliability issues, or worse, expose a weakness in your security.
- IAM concepts introduces the Workforce and Customer Identity models for IAM solutions and summarizes the main features of an IAM solution.
- IAM design example illustrates a typical CIAM solution for an application that supports an organization’s employees and customer users.
- Designing an IAM solution summarizes the key areas of IAM. These areas include identity management, key architectural considerations, and a link to a glossary of key terms and concepts.
- Second you need to understand what is Okta and how it works:
Okta is a customizable, secure, and drop-in solution to add authentication and authorization services to your applications. Get scalable authentication built right into your application without the development overhead, security risks, and maintenance that come from building it yourself. You can connect any application in any language or on any stack to Okta and define how you want your users to sign in. Each time a user tries to authenticate, Okta will verify their identity and send the required information back to your app.
Here are list of what you can do with Okta:
- You built an app, and you want to add authentication and authorization: You can use Okta to allow your users to sign in with a username/password or with their social accounts, such as Google or Facebook using pre-built sign-in components from Okta.
-
You built an API, and you want to add authentication and authorization to it: You can use Okta to secure your APIs and application backends so that only authorized users and applications can call them.
-
You have more than one app, and you want to implement Single Sign-On (SSO): Use Okta to allow your users to sign in to other applications instead of requiring them to remember separate sets of credentials for each application or service. Users can simply sign in once and access your full suite of applications.
-
You want to enforce multifactor authentication (MFA) when your users want to access sensitive data: Use Okta to enable a second level of security (SMS, Email, Voice, Biometrics, Okta Verify, and so on) for every sign in or configure policies to only enforce MFA based on location or network.
-
You want to federate your users using an existing enterprise directory: Use Okta to allow users to sign in to the various internal and third-party applications using their existing enterprise credentials or through Active Directory (AD) or LDAP servers.
-
You have an app, and you want to manage the users that access your application: Use Okta’s UI to add or remove users, modify profile and authorization attributes, and to quickly troubleshoot user sign-in issues.
- Third, you should learn about OAuth 2.0 and OpenID Connect
- OAuth 2.0 controls and delgates authorization to access a protected resource, like your web app, native app, or API service. It provides API security through scoped access tokens.
- OIDC extends OAuth 2.0 with user authentication and Single Sign-On (SSO) functionality. It enables you to retrieve and store authentication information about your end users. It also defines several OAuth 2.0 scopes to enable applications to access user profile information.
- Fourth, if you want to build solutions with more Okta functions, please explore the API:
-
Core Okta API: The Core Okta API is the primary way that apps and services interact with Okta. You can use it to implement basic auth functions such as signing in your users and programmatically managing your Okta objects.
-
Manage Okta objects: REST endpoints to configure objects whenever you need. For example:
- The Apps API is used to manage Apps and their association with Users and Groups.
- The Users API is used for CRUD operations on Users.
- The Sessions API (opens new window)creates and manages user’s authentication sessions.
- The Policy API creates and manages settings such as a user’s session lifetime.
- The Factors API is used to enroll, manage, and verify factors for multi-factor authentication (MFA).
- The Devices API is used to manage Device identity and lifecycle.
- Learn about SCIM:
-
Definition: The System for Cross-domain Identity Management (SCIM) standard allows admins to manage user and group information between external applications and Okta Universal Directory. Integrating with Okta streamlines and automates managing user accounts, credentials, and privileges between business systems. Admins can configure SCIM app integrations to use a direct cloud connection or an agent sitting on-premises. SCIM and provisioning are frequently used as interchangeable terms, but they’re slightly different. Provisioning refers to the entire process of exchanging lifecycle information, while SCIM is the standard protocol through which those exchanges are made.
-
SCIM processing:
- Okta sends SCIM changes to external application targets. These requests can use any of the CRUD operations to change user or group data in the application.
- SCIM compliant app integrations receive and process SCIM requests from Okta.
- The Okta User Directory reflects the updated user profile information.
