Advanced Server Access Agent Reference Page

The Advanced Server Access AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. (sftd) is a daemon that runs on your servers and integrates with the Advanced Server Access Platform.

The Advanced Server Access Agent configures clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. certificate authentication for SSH and RDP, audits login events to the server, and manages local user accounts.


For detailed instructions specific to your operating system, see:

Command Line Options

  • --conf: Provide alternative configuration file path.
  • --debug-device-info: Prints detected device information to stderr and then exits.
  • -h, --help: Display help.
  • -v, --version: Display version.
  • --syslog: Force syslog logging.

Configuration File

On startup, the Advanced Server Access Agent reads its configuration file sftd.yaml in order to set configuration settings. This file is in the YAML format.

If this file is not available, sftd proceeds with the default values.

Default Configuration:

# Common Configuration Options:
# AccessAddress is unset by default
AutoEnroll:            true
# Bastion is unset by default
# CanonicalName is unset by default
# InitialURL is unset by default

Common Configuration Options


default: unset

For hosts with multiple interfaces, or behind DNATs; specifies the address clients will use when connecting to this host.


default: unset

For hosts with specific public IP addresses associated with a known interface; specifies the interface that clients will negotiate connections with while connecting to the host.

Example: AccessInterface: 4022


default: unset

A list of alternative hostnames for this server. These names can be used as targetnames in sft ssh.


AltNames: ["web01", ""]


default: true

true or false. When true, sftd will attempt to automatically enroll with Advanced Server Access on initial startup.


default: unset

Specifies the bastion-host clients will automatically use when connecting to this host.


default: unset

Specifies the name clients should use/see when connecting to this host. Overrides the name found with hostname


default: unset

When AutoEnroll is set to true, this option specifies the InitialURL that the server can use to auto-enroll. When an enrollment.token is provided, this option is ignored.


default: unset

Traditionally, clients initiating SSH connections on Port 22 of a host. Creating a configuration option for SSHDPort allows for admins to specify a different port for clients to negotiate SSH connections.

Example: SSHDPort: 4022

Additional Configuration Options


default: INFO

Controls the logging verbosity. Valid values are WARN, INFO or DEBUG. Runing sftd with the --debug flag is equivalent to configuring a level of DEBUG, and will override values from the config file.


default: /var/lib/sftd/buffer.db

Path-prefix to the file(s) that sftd will use for it's local buffer store. Individual buffers will have a '.' and an incrementing number will be appended to the path-prefix. BufferFiles which have been synchronized will be removed automatically.


default: unset

Advanced Server Access automatically runs an Access Broker process that listens on port 4421. On Windows, the Access Broker is responsible for proxying RDP connections and is required for users to be able to successfully RDP to their team's Windows server. For Linux hosts, Access Broker processes are only required when they are configured in Advanced Server Access to create users on demand.

Setting DisableBroker to true will cause the agent not to run an Access Broker process.

Note: This is not recommended on Windows. For more information, refer to our Windows Internals article.


default: /var/lib/sftd/enrollment.token

Path to the file containing a secret token for token based enrollment. This file is deleted after a successful enrollment to the platform.


default: none

URL to an HTTP CONNECT proxy that sftd will use for outbound network connectivity to the Advanced Server Access Platform. Alternatively, the HTTPS_PROXY enviroment variable can be used for this configuration.


default: /var/lib/sftd/device.server

Path to the file that sftd uses to store the server URL that it will connect to.


default: /etc/ssh/sshd_config

Path to sshd configuration file. Note sftd will modify this file


default: /var/lib/sftd/device.token

Path to file that sftd uses to store its secret token for authentication to Advanced Server Access.


default: /var/lib/sftd/

Path for sftd to write the list of trusted SSH Certificate authorities to.

Files and Paths


sftd on Linux runs under the root user. Paths follow the Linux Standard Base specifications when applicable.

State Directory


Config File


Log Directory:

sftd uses the system logger when available.

Log files will be rotated after 5MB, and the latest 10 log files will be kept.

Enrollment Token:


Disable Autostart


By default the Advanced Server Access-server-tools packages on RedHat- and Debian-derived distributions will automatically start sftd after installation. In most circumstances this will cause the agent to automatically enroll in Advanced Server Access, create local users and remove the enrollment token from disk.

If a disable-autostart file exists at the time of installation the packages will not start the agent automatically. This can be useful when building OS images using a tool like Packer. Under these circumstances it is typically preferable to remove the disable-autostart file once the package has been installed.


On Windows, the Advanced Server Access Agent runs under the LocalSystem account.

%LOCALAPPDIR% is the default prefix for all filesystem paths.

State Directory:


Config File:


Log Directory:


Log files will be rotated after 5MB, and the latest 10 log files will be kept.

Enrollment Token:


Environment Variables

sftd reads the following variables when starting:

  • SFT_DEBUG: Prints additional debugging to stderr when set.

Warning: Moving a server between projects will cause the new project to take over user and group synchronization, which may result in changes to local user names, UIDs or other attributes on the server. This will not remove the existing local users or groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. from the original project, but any orphaned users will no longer be accessible via Advanced Server Access, with the exception of established SSH connections (which are not terminated).