On-premises provisioning architecture
The on-premises provisioning architecture consists of the following components: Okta, the Okta On-premises ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations., a SCIM serverAn end point that can process SCIM messages sent by the provisioning agent. This can be an application that natively supports SCIM or a SCIM connector that acts as an intermediary between the provisioning agent and the on-prem application. or custom connectors, and on-premises applications. As shown in this illustration, all components except Okta are located behind a firewall.
When a new user is provisioned from Okta to an on-premises application (MySQL database) using a SCIMSystem for Cross-domain Identity Management (SCIM) is an open standard that allows for the automation of user provisioning. It was created in 2011 as it became clear that the technology of the future would be cloud-based. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers requiring user identity information (such as enterprise SaaS apps). In short, SCIM makes user data more secure and simplifies the user experience by automating the user identity lifecycle management process. server, this is the typical workflow:
- An Okta adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. creates an appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. instance in Okta to represent the MySQL on-prem app.
- The admin attempts to provision a new user by assigning an Okta user to the MySQL app on Okta. Okta creates a provisioning event (create new user). Okta provisioning fails when an application user custom schema contains only array attributes.
- The provisioning agent polls Okta and finds the provisioning event. The provisioning agent translates the provisioning event to a SCIM request: HTTP POST to the /Users endpoint of the SCIM server.
- When the SCIM server receives a POST made to /Users with a JSON-formatted SCIM representation of the user, it attempts to create that user in the on-premises application.
- The SCIM server responds to the provisioning agent with the SCIM response message as mandated by SCIM protocol.