On demand users

Some environments have a requirement for users that have predetermined expiration dates. Advanced Server Access provides this capability through "on demand users". Advanced Server Access admins can specify the lifespan of users on a project, ensuring that access to resources is terminated for those users after a specified time period. On demand users hold the same level of access and permissions as all other end-users while active.

You can enable or disable on demand users for a project by setting the On Demand User TTL (Time to Live) value for the project, either when you create a project, or by editing an existing project. To edit an existing project, click Projects, then click the gear gear icon beside the project and select Edit.

To use the default method of provisioning users when a server is enrolled to the project, select Disabled from the On Demand User TTL (Time to Live) drop-down box.

To provision users on an on-demand basis, select a time value from the On Demand User TTL drop-down box (for example, 14 days). When a TTL value is set for the project, then an account for a user is provisioned when the user signs in to the server. After the TTL period has passed, or when the user signs out, the account is removed from the server.

Note: To use on demand users, your servers must be configured to allow the Advanced Server Access agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. to be accessible from port 4421 of the previous network hop. For example, if your clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. uses a bastion to connect to the server, then the Advanced Server Access agent must be accessible from port 4421 of the bastion. In the case where the client connects directly to the server, then the Advanced Server Access agent must be accessible from port 4421 of the client.