Glossary

    A
  • Authenticator Assurance Level. An industry-standard categorization for ranking the strength of the authentication process. There are three levels: AAL1 (low), AAL2 (high), and AAL3 (very high).
  • Assertion Consumer Service URL, often referred to as the Service Provider (SP) sign-in URL. This is the endpoint where SAML responses are posted and must be provided by the SP to the Identity Provider.
  • An on-premises user account management service for Microsoft Windows domain networks.
  • Okta Administrator. Admins have access to the Okta Administrator Dashboard, where they configure and maintain the end-user account provisioning and deprovisioning as well as many other aspects of the overall end-user experience.
  • Agentless Desktop Single Sign-on. When this functionality is enabled, users are automatically authenticated by Okta when they sign in to a Windows network. Users only need to sign in a single time and don't need separate credentials for each application they access through Okta.
  • The management layer around multiple orgs within Okta. The Aerial account lives outside of your orgs and can manage any production or preview org linked to the Aerial account.
  • An org that holds the authorization server for all Aerial API actions in any org in the Aerial account. Choose one org to permanently serve as the Aerial org. Super admins can create API clients in the Aerial org to access the Aerial account. The Aerial org also contains all System Log events associated with Okta Aerial actions.
  • A lightweight software program that runs as a service outside of Okta. Agents are typically installed behind a firewall and allow Okta to communicate between an on-premises service and the Okta cloud service.
  • Application. For Okta purposes, apps are web-based services that provide any number of specific tasks that require user authentication.
  • A sign-in process that verifies the identity of any entity requesting access to a web site or service. Entities may include a person or an automated user agent such as an API request.
  • Provides a common language for describing and provisioning all of the infrastructure resources in an AWS cloud environment. CloudFormation allows admins to use a simple text file to securely model and provision all resources needed for applications across all regions and accounts.
  • B
  • After SAML is enabled, users and admins can't sign in to the Service Provider's sign-in page with their username and password. All user sign-ins are done through the Identity Provider. In most cases, Service Providers have backdoor URLs to use if they need to sign in using their username or password.
  • C
  • Certificate authority. An issuer of digital certificates that confirm ownership of a public key.
  • Customer Identity Access Management. CIAM is a software solution that allows an organization to control customer access to applications; determine customer identity by linking with databases, online profiles, and other available information; and securely capture and manage customer profile information.
  • A statement about a subject (user) contained in OAuth2 security tokens. For example, a claim can be about a name, identity, key, group, or privilege. The claims in a security token are dependent upon the type of token, the type of credential used to authenticate the user, and the application configuration.
  • Anything that interacts with the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin.
  • Applications and services offered over the internet from data centers all over the world, which are referred to collectively as "the cloud."
  • A group of computer instances (physical or virtual) within a given infrastructure used together for a single purpose.
  • Category for an app that was created by the Okta community but hasn't been tested and verified by Okta.
  • Category for an app that was created by the Okta community and has shown some evidence of quality or reliability, such as active usage or multiple users. However, Okta has not tested it and does not support it.
  • An Identity Threat Protection feature that continuously monitors user sessions after the user authenticates to Okta. It evaluates the authentication and global session policies to identify changes in session context.
  • Certificate Revocation List. An index of digital certificates that have been revoked or marked invalid before their expiration date. Digital certificates on the CRL should not be trusted.
  • Create, Read, Update, and Deactivate (for Okta, not Delete), common database operations that are used in Okta to manage users in the Okta Universal Directory.
  • D
  • Allows users to directly access parts of an application. If it is supported, users can navigate to a deep link and authenticate to an application using SP-initiated SAML SSO. After authentication, the user will be redirected to a specific page in the SP instead of the homepage.
  • A lifecycle state for features that are no longer actively supported. Deprecated features can't be assigned to an org.
  • The process of adding a user account to Okta Verify.
  • The process of binding a user to the Okta Verify app instance on the device.
  • An attribute of an Okta organization. Okta uses a fully qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.) but doesn't include the protocol (https).
  • Indicates the direction of network traffic. For example, after a user account is created in the Okta Universal Directory, the account information and further updates are pushed downstream to a target application.
  • An application that receives data from Okta.
  • E
  • Opt-in features that you can try out in your org by asking Okta Support to enable them. Super admins can also enable or disable selected EA features in the Okta Admin Console.
  • People in an org who don't have administrative control. They can authenticate in to apps from the icons on their My Applications homepage, but their accounts are managed by admins.
  • End of Life. EOL features are no longer available in the Admin Console.
  • F
  • A distinct piece of functionality. Features are bundled within products but may also be offered separately, for example, Early Access features.
  • Federal Information Processing Standards. A benchmark and certification program for cryptographic modules.
  • An administrative option that requires users to re-authenticate through their Identity Provider when trying to access an app. Users must re-authenticate even if they have an active session.
  • Fully qualified domain name. The complete URL for an internet site, including the tranfer protocol (http/https).
  • G
  • Describes features that are available to all orgs depending on each customer's SKU.
  • Categories of users. Groups allow admins to assign apps to large sets of end users more easily.
  • I
  • Identity and Access Management. The process of codifying not only users and groups in a software system, but also what resources they are each able to access and what functions they are each able to perform. IAM addresses authentication, authorization, and access control.
  • A method of authentication that presents only a Username field on the sign-in page. Okta uses identifier-first authentication to determine which Identity Provider to use for completing the sign-in.
  • Identity Provider, a service that manages user accounts. IdPs send SAML responses to Service Providers to authenticate end users for Single Sign-On.
  • SAML authentication initiated by the Identity Provider (IdP). In this flow, the IdP initiates a SAML Response that is redirected to the Service Provider and asserts the user’s identity. In Okta, the process is triggered after a user clicks an app icon for a SAML application.
  • Identity Provider-initiated Single Sign-On. A single sign-on operation that was started from the IdP Security Domain. The IdP federation server creates a federation SSO response and redirects the user to the SP with the response message and an optional operational state.
  • Allows users from external Identity Providers to single sign-on (SSO) to Okta.
  • The process of adding a user account to Okta Verify by accessing an app through your org.
  • An occurrence of a software appliance or other resource hosted on a physical or virtual machine.
  • Independent software vendors. Okta partners with various ISVs (usually those producing enterprise applications) to integrate on-premises, in the cloud, or native-to-mobile devices with Okta.
  • Integrated Windows Authentication allows users to be automatically authenticated by Okta and any apps accessed through Okta, whenever they sign in to a Windows network. Okta is no longer adding new IWA functionality and offers only limited support and bug fixes.
  • J
  • Just-In-Time provisioning. A SAML-based method of creating a user’s account the first time that they sign in. Variations of JIT can modify users who have been created in advance and imported into Okta. In these scenarios, users in either a staged or deactivated state are activated the first time that they sign in.
  • K
  • A computer-network authentication protocol that enables nodes to securely prove their identities over a non-secure network.
  • L
  • Lightweight Directory Access Protocol. A lightweight client-server protocol that is used to access X.500-based directory services. LDAP runs over Transmission Control Protocol/Internet Protocol (TCP/IP) or other connection-oriented transfer services.
  • A user is linked to a device record in Okta in either of the following ways: (1) when the user establishes an Okta session from the device and provides Okta the device identity during the session; (2) through the Okta API.
  • M
  • Mobile Application Management. Software and services that control access to mobile business apps. MAM works on company and personal devices.
  • A device that is controlled by your chosen Device Management solution, configured for Device Management in Security > Device integrations, and registered and enrolled in Okta Verify.
  • Multifactor Authentication. An added layer of security used to verify an end user's identity when they sign in to an application.
  • Mutual Transport Layer Security. A cryptographic protocol that ensures two-way authentication.
  • The Okta home page (orgname.okta.com/app/UserHome) that displays the user’s applications.
  • N
  • A web server that can be used as a reverse proxy, load balancer, mail proxy, or HTTP cache.
  • The combination of two ethernet ports into a bonded virtual port to prevent traffic from saturating a single network connection.
  • A device that is registered or enrolled in Okta Verify but is either not managed by your chosen Device Management solution or is not configured for Device Management in Security > Device integrations.
  • O
  • Okta Access Gateway. A reverse proxy based virtual application, designed to secure web applications that don't natively support SAML or OIDC. Okta Access Gateway integrates with legacy applications using HTTP headers and Kerberos tokens, and offers URL-based authorization and more.
  • OpenID Connect. An authentication layer on top of OAuth 2.0 (an authorization framework). The OIDC standard is controlled by the OpenID Foundation.
  • Okta Integration Network. An on-demand service comprised of thousands of pre-integrated business and consumer applications.
  • Passwordless authentication to any SAML, WS-Fed, OIDC app in Okta on Windows, iOS, Android, MacOS.
  • A sandbox environment that provides complete access to a fully functioning version of Okta. An oktapreview org allows you to test features before pushing them to your users.
  • Okta Verified. In the Okta Integration Network, this status means that the integration was built, tested, and verified by Okta, or it was built by a partner, and then tested and verified by Okta.
  • Okta Mobility Management. A service that enables admins to manage work-related applications and data on their users' mobile devices. Users must enroll in the service to download managed apps.
  • A lightweight agent that runs on Linux (CentOS or RHEL) or Windows (x86/x64) server and sits behind a firewall. The On-Prem Provisioning Agent gets provisioning instructions from Okta and sends SCIM messages to the appropriate SCIM endpoint or connector.
  • Out-of-band. Signals sent between two endpoints using a method that is different from that of the primary communication between the two endpoints. When referencing Okta Verify, out-of-band references manual device enrollment using a sign-in URL.
  • The Okta container that represents a real-world organization.
  • One-time password. A type of multifactor authentication in which an end user receives a secret code by text message or voice call, or through an authenticator app, such as Google Authenticator. The user inputs this code when signing in, in addition to their password.
  • Organizational unit. Active Directory containers for users, groups, computers, or other organizational units. OUs are the smallest units to which you can assign Group Policy settings or delegate administrative authority.
  • P
  • Partner-Built EA feature status for provisioning integrations is obsolete. All provisioning integrations with this feature status will be changed to Okta Verified feature status.
  • This term is obsolete. See Okta Verified.
  • Public Key Infrastructure. A set of tools and policies used to create and maintain digital certificates and certificate chains.
  • Proof-of-possession. A verification process that assures that the owner of a key pair actually has the private key associated with the public key.
  • An Okta-determined set of features.
  • An application that acts as a source of truth for user profile attributes. A user can be sourced by only one application or directory at a time.
  • A read/import method that defines the flow and maintenance of user-object attributes and their lifecycle state. When an Okta user’s profile is sourced by an application or directory, the Okta profile attributes and lifecycle state are derived exclusively from that resource. The profile isn’t editable in Okta.
  • The enterprise-wide process of granting access to the software and services that your users require, as well as the configuration, deployment, and management of those resources.
  • R
  • A device through which a user is bound to Okta Verify. Each registered device is a unique object in the Okta Universal Directory.
  • Relying Party Identifier. The Relying Party receives the SAML assertion from an IdP.
  • S
  • Security Assertion Markup Language. An open standard that verifies identity and offers authentication by exchanging data between an identity provider and a service provider.
  • Simple Certificate Enrollment Protocol. A automatic enrollment process for issuing digital certificates to devices through a URL.
  • A process in which Okta identifies attributes in an app profile that can be added to the Okta user profile.
  • System for Cross-domain Identity Management. An open standard that allows for the automation of user provisioning. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers (such as enterprise SaaS apps).
  • An end point that can process SCIM messages sent by the provisioning agent. This end point can be an application that natively supports SCIM or a SCIM connector that acts as an intermediary between the provisioning agent and the on-prem application.
  • An indication by the client that it wants to access a resource.
  • An Okta-generated string of characters that allows end users to enroll their mobile devices in Okta Verify without scanning a QR code.
  • The Okta Sign-In Widget is a Javascript widget that provides a fully featured and customizable sign-in experience which can be used to authenticate users of web and mobile applications.
  • Securely access an app with a set of user credentials. Synonyms include sign on (as in Single Sign-On or sign-on policy) and login.
  • A logout method in which a SAML service provider sends a logout request to the identity provider, and both the identity provider and service provider’s current sessions close. Okta only supports SP-initiated logout.
  • A configurable appliance that is run on VMWare, VMWare vSphere, AWS, or similar systems. Access Gateway is a preconfigured, downloadable VM image that can be configured for client infrastructures.
  • The process of defining the flow and maintenance of user object attributes. Sourcing can be applied at the full profile level or at the attribute level. Okta-sourced means that edits made in the Okta profile then flow to all related applications. App-sourced means that edits made in a user’s application profile (like Active Directory) flow to the Okta profile.
  • Service provider. In Okta, the service provider is any website that accepts SAML responses as a way of signing in users. Service providers redirect a user to an identity provider (Okta) to begin the authentication process.
  • Service Provider-initiated Single Sign-On. SAML authentication that is initiated by the Service Provider (SP). This is triggered when the end user tries to access a resource in the Service provider or sign in directly to the Service Provider.
  • Shared Signals Framework. An Identity Threat Protection feature that allows orgs to receive risk signals from third-party security providers.
  • Single Sign-On. SSO platforms allow users to enter one name and password to access multiple applications. Okta provides a seamless SSO experience across PCs, laptops, tablets, and smartphones, for applications both behind the firewall and in the cloud.
  • Secure Web Authentication. An SSO integration method developed by Okta for apps that don't support SAML or proprietary federated sign-in methods. When a user accesses a SWA app from their Okta homepage, Okta posts their stored, encrypted credentials to the app sign-in page.
  • T
  • Time-based one-time password. TOTP is a form of multifactor authentication in which a unique code is generated from a secret key and the current time. The code is sent to the user, who inputs it into a sign-in form along with their username and password. In addition, the code expires and becomes unusable after 30 or 60 seconds, depending on how the TOTP generator is configured.
  • Trusted Platform Module. A microchip that is built into most desktop and mobile devices. It is designed to provide tamper-resistant security functions, primarily involving encryption keys.
  • U
  • The Okta user directory that stores an unlimited number of users and all types of attributes. All applications in the Okta Integration Network can access the Universal Directory using LDAP or API.
  • An Identity Threat Protection feature that terminates user sessions for supported apps in response to identity-based threats.
  • Network traffic from a directory or app to Okta.
  • A provisioning application that provides data to Okta.
  • Uniform Resource Identifier. A unique sequence of characters used to identify a specific resource such as a web page, book, or a document. Unlike a URL, it doesn’t include location information (https://).
  • The process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in Okta and associated with the identity being claimed. In Okta, user verification also refers to when a user is prompted to provide biometric or security key verification, such as when using the FIDO2 (WebAuthn) authenticator or Okta FastPass. (term partially adapted from National Institute of Standards and Technology, U.S. Department of Commerce)