Advanced Server Access Client

The Advanced Server Access ClientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. is a lightweight desktop application and command-line tool for Windows, macOS, and Linux.



After installing the client, you will enroll your client in your team with the command sft enroll.

This adds your new client to your client inventory on the Advanced Server Access Platform, and authorizes it to take actions on your behalf. After your client is enrolled, you will see it on your client list on the Advanced Server Access Dashboard.


sft [global options] command [command options] [arguments...]


sft config

Get and set sft configuration options

Many configuration options are available. See the Configuration section for details.

sft dash

Open your team's dashboard in your browser

sft device-info

Shows your client's device info as JSON

sft enroll

Adds your new client to your client inventory on the Advanced Server Access Platform

sft list-accounts

  • --columns: comma-delimited list of lowercase column names to print, only used for default output format
  • -l, --selector: Selector (label query) to filter on, see Selectors, below.
  • --output [format], -o [format] The output format must be one of: default, json, or describe

List the accounts this client is configured to be able to use

sft list-accounts -o json
sft list-accounts --columns account,id
sft list-accounts -l account=teamname --columns id,username

sft list-servers

  • --columns: comma-delimited list of lowercase column names to print, only used for default output format
  • -l, --selector: Selector (label query) to filter on, see also Selectors
  • --output [format], -o [format] The output format must be one of: default, json, or describe

List servers in the current team which your client has access to

sft list-servers -l os_type=windows
sft list-servers -l os_type=windows,project_name=Demo
sft list-servers -l os_type=windows --columns id,hostname
sft list-servers -l os_type=linux -o json

sft login

If logged out of your client's current team, create a new session, authenticating with your team's Identity Provider.

An active, authorized client session allows the Advanced Server Access Client to request credentials in the background as needed.

sft logout

Logout from current session

sft proxycommand

  • --config: Deprecated in favor of sft ssh-config
  • --via, --bastion: SSH bastion host to use to connect to the target

Used with OpenSSH ProxyCommand to enable transparent use of sft with ssh, scp, rsync, ftp, etc.

sft rdp

  • --via, --bastion: SSH bastion host to use to connect to the target

Connect to RDP to a target passed as an argument

sft resolve

Resolves a single server matching the hostname or instance-details specified

sft ssh

  • --via, --bastion: SSH bastion host to use to connect to the target
  • --command: Command to execute over SSH
  • -L: Support local port-forwarding as OpenSSH does
  • -R: Support remote port-forwarding as OpenSSH does

Connect via SSH to a target passed as an argument

Generally, Advanced Server Access works with ssh using OpenSSH ProxyCommand integration. The sft ssh command is provided for ssh support in environments or contexts where OpenSSH is not available, or for times when you may want to explicitly pass Advanced Server Access-specific options such as --via.

sft ssh-config

  • --via, --bastion: SSH bastion host to use to connect to the target

Print an OpenSSH configuration block suitable for use in your ~/.ssh/config file which will enable your local ssh binary to use Advanced Server Access authentication. This SSH configuration will be used only when your client has a currently active and authorized session.

sft unenroll

  • --all: Unenroll all local clients

Remove the currently active client from your client inventory in the Advanced Server Access Platform

sft use

Set an enrolled team as the current default for use in your current session

sft help

Shows a list of commands or help for one command

Global Command Line Options

  • -h, --help: Display help.
  • -v, --version: Display version.
  • --config-file: Provide alternative configuration file path.
  • --account: Use specified account
  • --team: Use specified team
  • --instance: Use specified instance of the Advanced Server Access Platform

All options are optional.


  • -l, --selector: Selector (label query) to filter on

Commands which take a selector as an optional argument can filter their results based on an arbitrary selector query.

Selector syntax is based on Kubernetes Label Queries.


sft list-servers -l os_type=windows,project_name=Demo

This command uses a selector to filter the list of servers you have access to, only returning the servers whose Operating System is Windows and which are in a Project named Demo.


You can view or set configuration options with the sft config command.

No configuration file will be present upon initial installation of the Advanced Server Access Client. The configuration file will be created once you set your first configuration option.

Until you have set an explicit configuration value, all defaults will be used. The defaults provided for the Advanced Server Access Client are intended to provide the most security and ease of use for the most common situations. Aside from personal preferences, such as rdp.screensize, you may not need to set any client configurations at all.

Advanced Server Access Client configurations are grouped into sections. Currently sections include rdp, ssh, ssh_agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations., service_auth, and update.

Viewing your configuration

  • sft config: Display your current configurations
  • sft config [section.key]: View the current value of a specific configuration indicated by section.key

Setting a configuration value

You can set a configuration value with the command syntax: sft config [section.key] [value].

Configuration Options



A string, such as 1024x768, describing your preferred RDP window size.

sft config rdp.screensize 800x600
sft config rdp.screensize 1024x768

If set to true, RDP sessions will be opened in fullscreen mode. This causes the rdp.screensize configuration to be ignored.

sft config rdp.fullscreen true
sft config rdp.fullscreen false



If set to true, the Advanced Server Access Client will store any passphrases entered by the user in the workstation's local cryptographic store.

sft config ssh.save_privatekey_passwords true
sft config ssh.save_privatekey_passwords false

A value of "netcat" causes Advanced Server Access to remotely execute netcat (nc) as a means of port forwarding, instead of using the default native SSH port forwarding.

sft config ssh.port_forward_method netcat
sft config ssh.port_forward_method native

A value of "host" causes Advanced Server Access to set the ForwardAgent option when executing SSH commands. Note that Advanced Server Access-issued credentials are not added to the ssh-agent, so this is for use with hosts which are configured to accept an externally managed credential, such as a SSH public key which is not managed by Advanced Server Access.

Leaving this unset, or supplying a value of "none", will cause Advanced Server Access not to forward SSH agent.

sft config ssh.insecure_forward_agent host
sft config ssh.insecure_forward_agent none

SSH Agent


If set, the Advanced Server Access Client will use an SSH agent when authenticating.

sft config ssh_agent.enable true
sft config ssh_agent.enable false

The value is a JSON array of paths to SSH private keys to be loaded into the SHH agent. You can append values to it using the --append flag.

sft config ssh_agent.keys '["/UsersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control./alice/.ssh/id_rsa"]'
sft config ssh_agent.keys --append /Users/alice/.ssh/id_rsa
sft config ssh_agent.keys '[]'

Tip: When writing a JSON literal in Windows PowerShell, escape inner quotes, as in: sft config ssh_agent.keys '[\"C:\\Users\\alice\\.ssh\\id_rsa\"]'

Service Auth


If set, the Advanced Server Access Client will support authentication for service users.

Learn more about Service Users

sft config service_auth.enable true
sft config service_auth.enable false



The Advanced Server Access Client defaults to the stable update channel, but you can opt into receiving our more-frequent releases by setting this configuration to the test update channel.

sft config update.release_channel test
sft config update.release_channel stable

Environment Variables


When set, any command run will print internal logs and timing messages to stderr

SFT_DEBUG=1 sft list-servers