In addition to Okta Advanced Server Access, Okta Identity Engine and Okta Hooks both facilitate much great custom integration capabilities.
At their Oktane19 event in San Francisco, identity management vendor Okta has announced what are in essence two separate announcements. First, they are announcing Okta Advanced Server Access, which provides their first infrastructure solution, moving beyond the application layer to manage and secure access to both on-prem and cloud servers. Secondly, they are announcing Okta Identity Engine, a revision of the engine that drives the Okta Identity Cloud, which will let customers disaggregate the identity workflow and reassemble it like building blocks to better address specific cases. The Identity Engine is complemented by Hooks, new functionality that lets developers create unlimited custom integrations.
“Advanced Server Access is the most exciting part of this to me, because we are expanding where our customers take identity to more resources,” said Alex Salazar, VP of the Okta Developer Platform and Application Network. “This is the first time we are focusing downstack at the infrastructure tier.”
Okta has provided some authentication capability in the past, but it has been very limited. Okta Advanced Server Access, in contrast, provides comprehensive access management for both cloud infrastructure and on-premises Windows and Linux servers.
“We’ve always had some light support for servers,” Salazar said. “There was a Linux plug-in, and you could always apply some degree of single sign-on, but it was always very light. It wasn’t an area of focus for us. However, as we look to extend identity, to help customers connect everything, servers seemed like a very important next step for us, because it is critical infrastructure for our customers.”
Salazar noted that a number of vendors do some form of server authentication, focusing on different pieces of the issue, but their approaches, Secure Shell (SSH) keys and Remote Desktop Protocol (RDP) passwords, are static.
“We aren’t really competitive to any of those solutions,” he said. “We solve a different problem. The goal of our solution is to kill the shared credential. Everyone struggles with it. People deal with it in different ways. Our perspective is that they shouldn’t exist. We are trying to extend the user’s identify down to these infrastructure resources, so I access server directly, not access an admin account that has access to the server.”
Okta Advanced Server Access addresses this with a Zero Trust architecture, in which every login is independently authenticated and authorized.
“A big piece of the technology that we are rolling out here is based on the ScaleFT acquisition, a smaller company that we bought last year,” Salazar said. “They brought the ability to use ephemeral client certificate architecture to securely access servers, and replace the static keys and passwords with one-time client certificates. Now, our Advanced Server Access product lets us take signals about who is accessing the user beyond the credentials they are on, can see what workstations they are accessing the server on, and can determine if it’s a high risk server. In addition, the way traditional authentication works is that after you log in successfully, no one bugs you. But the server reauthenticates every three minutes, although this is invisible to the user. It’s all tied back to lifecycle management competency. The server checks with Okta to make sure I should still be on that server. If I leave the company and the Workday system, that goes to this server.”
Okta Advanced Server Access is available now.
“There’s a really interesting story here for channel partners,” Salazar indicated. “Our ecosystem of resellers gets involved in more conversations around static tools by bringing identity into the conversations. That’s already happening – but we are helping them extend the conversation. They can now ask the customer ‘how are you managing your new cloud servers? Can we extend the same project to include the servers? Partners who are deep in infrastructure, or future partners of ours from this area, can now be part of the new identity conversation.”
The new Okta Identity Engine is an enhancement of the Okta Identity Cloud that lets customers address unlimited identity use cases.
“The Okta Identity Engine is a major investment to the core engine that drives the Okta Identity Cloud,” Salazar said. “What it does is take the engine, and break it apart – turn it into Lego blocks. That will allow customers to reassemble those blocks however they like, for specific use cases. It gives them the ability to customize more deeply.” The Okta Identity Engine will be part of all Okta products, after it becomes available in the second half of 2019.
“Okta Hooks is the second side of this same story,” Salazar said. “Okta Identity Engine breaks the engine into Lego blocks that the customer can assemble. Hooks allows them to bring their own Lego blocks.”
Okta Hooks is new functionality of the Okta Identity Cloud that lets developers create unlimited custom integrations for the Okta Integration Network.
“Hooks is part of continuum of Okta becoming more composable and extensible,” Salazar said. “We really doubled down a few years ago on public APIs, but there were still some cases where workflow was too rigid. Identity Engine and Hooks make most of those workflows much more customizable. Identity is increasingly becoming critical to almost every business process – but with that growing criticality we are seeing people try and do more with those processes. So the importance of customization increases. This matters a great deal to the channel, because unlocking more customization enables channel partners to say ‘yes’ to customers.”
Potential developer customizations through Okta Hooks include enrolling new users into email marketing campaigns using Event Hooks, identifying or validating a registering user using Registration Inline Hooks, incorporating attributes from external databases for authorization using SAML and Token Inline Hooks, enriching profile information from HR or CRM systems with Import Inline Hooks, and automating IT Service Management using Event Hooks.
A month ago, Okta acquired Azuqua, a specialist in no-code, cloud-based business application integration and workflow automation. Eventually, their technology will provide a no-code capability so that non-developers can build Hooks integrations as well.
“Right now, what we have delivered is heavy customization, and to do heavy customization, you need code,” Salazar said. The end state that we drive towards is where Line of Business people who are not developers can point and click into a complex workload. That is the path we are building towards, but we don’t have a timeline on that.”
Okta Hooks is available for Early Access starting today as a new core function of the Okta Identity Cloud. Hooks will be included in existing Okta products.