Enrolling a Server

To manage access to a server with Advanced Server Access, you need to install the Advanced Server Access Agent on the server, and enroll the server into a project.

If you are using the default configurations, the agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. will begin managing user accounts on your server, and enable clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. certificate authentication for SSH or RDP.



Enrollment is the process where the Advanced Server Access agent configures a server to be managed by a specific project.

With an Enrollment Token

An enrollment token is a base64-encoded object with metadata that the Advanced Server Access agent can configure itself from.

To create an enrollment token for a project, open the project in the Advanced Server Access dashboard. Switch to the Enrollment tab, then click Create Enrollment Token. Enter a description for the token based on its usage (for example, "First Production Buildout", or "Testing Advanced Server Access"). Click Submit to create the token.

After creating your token, copy it to the server either by using your configuration management system (for example, Puppet, Chef, Ansible, and so on), or by writing it to a file.

On Linux, the enrollment token path is /var/lib/sftd/enrollment.token.

On Windows, the enrollment token path is C:\windows\system32\config\systemprofile\AppData\Local\scaleft\enrollment.token.

To validate that the server is enrolled, run sft list-servers on a client machine. You should see the enrolled server listed.

Attaching an AWS Account to an Advanced Server Access Project

Advanced Server Access supports optionally attaching an AWS account to an Advanced Server Access project.

The Advanced Server Access Server Agent uses signed instance metadata from AWS to identify itself, and can automatically enroll into a project in your team.

This method is the best option to use when all of your AWS servers from a specific AWS account will only belong to one project. You can use this method to enroll servers into that project instead of using an enrollment token. For bare metal or on-premise servers, or when cloud metadata-based enrollment is not available, enroll servers using per-project enrollment tokens.

To attach an AWS account to an Advanced Server Access project:

  1. Sign in to the AWS console, click Support > Support Center, then locate your AWS account number.
  2. From the Advanced Server Access dashboard, browse to the desired project and click Add AWS Account. Enter your AWS account number you located in the previous step.

From this point forward, when the agent starts on a server that belongs to this AWS account, if the server has not been previously enrolled in Advanced Server Access, the agent submits signed AWS metadata from the server as proof of its identity, and enrolls it in your Advanced Server Access project.