Enrolling a Server

To manage access to a server with Advanced Server Access, you'll need to install the ScaleFT Server Agent on the server, and enroll your server into a project.

If you are using the default configurations, the agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. will begin managing user accounts on your server, and enable clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. certificate authentication for SSH or RDP.



Enrollment is the process where the Advanced Server Access agent configures a server to be managed by a specific project.

With an Enrollment Token

An enrollment token is a base64 encoded object with metadata that the Advanced Server Access Agent can configure itself from.

To create an enrollment token in the Advanced Server Access Dashboard, browse to the desired project, then select "Server Enrollment Tokens". Either use an existing token, or generate a new Enrollment Token with a description of what the token is used for, such as "First Production Buildout", or "Testing Advanced Server Access."

Once you have a token, ensure it exists on the server in question either via your configuration management system, or by just writing the token to a file yourself.

On Linux, the enrollment token path is /var/lib/sftd/enrollment.token.

On Windows, the enrollment token path is C:\windows\system32\config\systemprofile\AppData\Local\scaleft\enrollment.token.

To validate that the server is enrolled, run sft list-servers on a client machine. You should see the enrolled server listed.

Associating an AWS Account with a Advanced Server Access Project

Advanced Server Access supports optionally associating an AWS account with a Advanced Server Access project.

The Advanced Server Access Server Agent uses AWS's signed instance metadata to identify itself, and can automatically enroll into a project in your team.

This method is best when all your AWS servers from a specific AWS account will belong to only one project. You can use this method to enroll servers into that project instead of using an Enrollment Token. For bare metal or on-premise servers, or when cloud metadata-based enrollment is not available, enroll servers using per-project Enrollment Tokens.

To associate an AWS account with a Advanced Server Access project:

  1. Locate your AWS account number by logging into the AWS web console, opening the "Support" dropdown in the top right corner, then selecting "Support Center".
  2. In the Advanced Server Access Dashboard browse to the desired project, click "Add AWS Account", then enter the account number you located in step #1 under Associated AWS accounts.

From this point forward, when the agent starts on a server that belongs to this AWS account, if that server has not been previously enrolled in Advanced Server Access, the agent will submit the server's signed AWS metadata as proof of its identity, and enroll it in your Advanced Server Access project.