User management

User management is a feature that is automatically enabled for target servers enrolled with Advanced Server Access.


A primary objective of deploying Advanced Server Access is solving for user provisioning and lifecycle management across heterogenous servers. These processes, which vary by operating system as well as configurations, integrate with Okta via SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. and SCIMSystem for Cross-domain Identity Management (SCIM) is an open standard that allows for the automation of user provisioning. It was created in 2011 as it became clear that the technology of the future would be cloud-based. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers requiring user identity information (such as enterprise SaaS apps). In short, SCIM makes user data more secure and simplifies the user experience by automating the user identity lifecycle management process. to receive certain user properties and replicate them on managed systems. When user accounts already exist on managed systems, the Advanced Server Access agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. attempts to reconcile these user accounts according to the provided configurations and documented behavior to take the user accounts which previously existed on the system under management by Advanced Server Access.

The Advanced Server Access agent does not just create or delete user accounts when it is installed or when changes are made to either a user directory or to an RBAC permission governing who can be given access to a system. Correct user account management is a core security outcome, so the Advanced Server Access agent monitors the state of the managed system’s configurations by periodically polling with local read operations (such as `getent`). These periodic read operations against the system are low-impact on system resources such as memory or CPU, and are integral to Advanced Server Access's ability to provide the security and resilience outcomes it is designed to achieve.