Glossary

    A
  • Assertion Consumer Service URL, often referred to as the Service Provider (SP) sign-in URL. This is the endpoint where SAML responses are posted and must be provided by the SP to the Identity Provider.
  • An on-premises user account management service for Microsoft Windows domain networks.
  • Okta Administrator. Admins have access to the Okta Administrator Dashboard, where they configure and maintain the end-user account provisioning and deprovisioning as well as many other aspects of the overall end-user experience.
  • A lightweight software program that runs as a service outside of Okta. Agents are typically installed behind a firewall and allow Okta to communicate between an on-premises service and Okta's cloud service.
  • Application. For Okta purposes, apps are web-based services that provide any number of specific tasks that require user authentication.
  • A sign-in process that verifies the identity of any entity requesting access to a web site or service. Entities may include a person or an automated user agent such as an API request.
  • Provides a common language for describing and provisioning all of the infrastructure resources in an AWS cloud environment. CloudFormation allows admins to use a simple text file to securely model and provision all resources needed for applications across all regions and accounts.
  • B
  • After SAML is enabled, users and admins can't sign in to the Service Provider's sign-in page with their username and password. All user sign-ins are done through the Identity Provider. In most cases, Service Providers have backdoor URL’s to use if they need to sign in using their username/password.
  • C
  • A obsolete term for the application icons that appear on an end user's Home page. The terms has been replaced by "apps” or “icons.”
  • Anything that interacts with the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin.
  • Applications and services offered over the internet from data centers all over the world, which are referred to collectively as "the cloud."
  • A group of computer instances (physical or virtual) within a given infrastructure used together for a single purpose.
  • Category for an app that was created by the Okta community but hasn't been tested and verified by Okta.
  • Category for an app that was created by the Okta community and has shown some evidence of quality or reliability, such as active usage or multiple users. However, Okta has not tested it and does not support it.
  • Create, Read, Update, and Deactivate (for Okta, not Delete), common database operations that are used in Okta to manage users in the Okta Universal Directory.
  • D
  • Allows users to directly access parts of an application. If it is supported, users can navigate to a deep link and authenticate to an application using SP-initiated SAML SSO. After authentication, the user will be redirected to a specific page in the SP instead of the homepage.
  • A lifecycle state for features that are no longer actively supported. Deprecated features can't be assigned to an org.
  • An attribute of an Okta organization. Okta uses a fully qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.) but doesn't include the protocol (https).
  • Indicates the direction of network traffic. For example, after a user account is created in the Okta Universal Directory, the account information and further updates are pushed downstream to a target application.
  • An application that receives data from Okta.
  • E
  • Opt-in features that you can try out in your org by asking Okta Support to enable them. Super admins can also enable or disable selected EA features in the Okta Admin Console.
  • People in an org who don't have administrative control. They can authenticate in to apps from the icons on their My Applications homepage, but their accounts are managed by admins.
  • End of Life. EOL features are no longer available in the Admin Console.
  • F
  • An administrative option that requires users to re-authenticate through their Identity Provider when trying to access an app. Users must re-authenticate even if they have an active session.
  • Fully qualified domain name: the complete URL for an internet site, including the tranfer protocol (http/https).
  • G
  • Describes features that are available to all orgs depending on each customer's SKU.
  • Categories of users. Groups allow admins to assign apps to large sets of end users more easily.
  • I
  • A method of authentication that presents only a Username field on the sign-in page. Okta uses identifier-first authentication to determine which Identity Provider to use for completing the sign-in.
  • Identity Provider, a service that manages user accounts. IdPs send SAML responses to Service Providers to authenticate end users for Single Sign-On.
  • SAML authentication initiated by the Identity Provider (IdP). In this flow, the IdP initiates a SAML Response that is redirected to the Service Provider and asserts the user’s identity. In Okta, the process is triggered after a user clicks an app icon for a SAML application.
  • Identity Provider-initiated Single Sign-On. A single sign-on operation that was started from the IdP Security Domain. The IdP federation server creates a federation SSO response and redirects the user to the SP with the response message and an optional operational state.
  • Allows users from external Identity Providers to single sign-on (SSO) to Okta.
  • An occurrence of a software appliance or other resource hosted on a physical or virtual machine.
  • Independent software vendors. Okta partners with various ISVs (usually those producing enterprise applications) to integrate on-premises, in the cloud, or native-to-mobile devices with Okta.
  • J
  • Just-in-Time provisioning. A SAML-based method of creating a user’s account the first time that they sign in. Variations of JIT can modify users who have been created in advance and imported into Okta. In these scenarios, users in either a staged or deactivated state are activated the first time that they sign in.
  • K
  • A computer-network authentication protocol that enables nodes to securely prove their identities over a non-secure network.
  • L
  • Lightweight Directory Access Protocol. A lightweight client-server protocol that is used to access X.500-based directory services. LDAP runs over Transmission Control Protocol/Internet Protocol (TCP/IP) or other connection-oriented transfer services.
  • A user is linked to a device record in Okta in either of the following ways: (1) when the user establishes an Okta session from the device and provides Okta the device identity during the session; (2) through the Okta API.
  • M
  • Mobile Application Management. Software and services that control access to mobile business apps. MAM works on company and personal devices.
  • The process of defining the flow and maintenance of user object attributes. Mastery can be applied at the full profile level or at the attribute level. Okta-mastered means that edits made in the Okta profile then flow to all related applications. App-mastered means that edits made in a user’s application profile (like Active Directory) flow to the Okta profile.
  • The Okta home page (orgname.okta.com/app/UserHome) that displays the user’s applications.
  • N
  • A web server that can be used as a reverse proxy, load balancer, mail proxy, or HTTP cache.
  • The combination of two ethernet ports into a bonded virtual port to prevent traffic from saturating a single network connection.
  • O
  • OpenID Connect. An authentication layer on top of OAuth 2.0 (an authorization framework). The OIDC standard is controlled by the OpenID Foundation.
  • Okta Integration Network. An on-demand service comprised of thousands of pre-integrated business and consumer applications.
  • A sandbox environment that provides complete access to a fully functioning version of Okta. An oktapreview org allows you to test features before pushing them to your users.
  • Okta Verified. In the Okta Integration Network, this status means that the integration was built, tested, and verified by Okta, or it was built by a partner, and then tested and verified by Okta.
  • Okta Mobility Management. A service that enables admins to manage work-related applications and data on their users' mobile devices. Users must enroll in the service to download managed apps.
  • A lightweight agent that runs on Linux (CentOS or RHEL) or Windows (x86/x64) server and sits behind a firewall. the On-Prem Provisioning Agent gets provisioning instructions from Okta and sends SCIM messages to the appropriate SCIM endpoint or connector.
  • The Okta container that represents a real-world organization.
  • Organizational unit. Active Directory containers for users, groups, computers, or other organizational units. OUs are the smallest units to which you can assign Group Policy settings or delegate administrative authority.
  • P
  • Partner-Built EA feature status for provisioning integrations is obsolete. All provisioning integrations with this feature status will be changed to Okta Verified feature status.
  • This term is obsolete. See "Okta Verified".
  • An application that acts as a source of truth for user profile attributes. A user can be mastered by only one application or directory at a time.
  • A read/import method that defines the flow and maintenance of user-object attributes and their lifecycle state. When an Okta user’s profile is mastered by an application or directory, the Okta profile attributes and lifecycle state are derived exclusively from that resource. The profile isn’t editable in Okta.
  • The enterprise-wide process of granting access to the software and services that your users require, as well as the configuration, deployment, and management of those resources.
  • S
  • Security Assertion Markup Language. An XML-based standard for exchanging authentication and authorization data between an identity provider and a service provider.
  • A process in which Okta identifies attributes in an app profile that can be added to the Okta user profile.
  • System for Cross-domain Identity Management. An open standard that allows for the automation of user provisioning. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers (such as enterprise SaaS apps).
  • An end point that can process SCIM messages sent by the provisioning agent. This end point can be an application that natively supports SCIM or a SCIM connector that acts as an intermediary between the provisioning agent and the on-prem application.
  • An indication by the client that it wants to access a resource.
  • An Okta-generated string of characters that allows end users to enroll their mobile devices in Okta Verify without scanning a QR code.
  • A logout method in which a SAML service provider sends a logout request to the identity provider, and both the identity provider and service provider’s current sessions close. Okta only supports SP-initiated logout.
  • A configurable appliance that is run on VMWare, VMWare vSphere, AWS, or similar systems. Access Gateway is a preconfigured, downloadable VM image that can be configured for client infrastructures.
  • Service provider. In Okta, the service provider is any website that accepts SAML responses as a way of signing in users. Service providers redirect a user to an identity provider (Okta) to begin the authentication process.
  • Service Provider-initiated Single Sign-On. SAML authentication that is initiated by the Service Provider (SP). This is triggered when the end user tries to access a resource in the Service provider or sign in directly to the Service Provider.
  • Single Sign-On. SSO platforms allow users to enter one name and password to access multiple applications. Okta provides a seamless SSO experience across PCs, laptops, tablets, and smartphones, for applications both behind the firewall and in the cloud.
  • Secure Web Authentication. An SSO integration method developed by Okta for apps that don't support SAML or proprietary federated sign-in methods. When a user accesses a SWA app from their Okta homepage, Okta posts their stored, encrypted credentials to the app sign-in page.
  • U
  • The Okta user directory that stores an unlimited number of users and all types of attributes. All applications in the Okta Integration Network can access the Universal Directory using LDAP or API.
  • Network traffic from a directory or app to Okta.
  • A provisioning application that provides data to Okta.