Glossary

Okta-related terms and their definitions. The glossary includes general concepts like single sign-on and Okta-specific concepts like Secure Web Authentication.

admin: An Okta administrator. Admins have access to the Okta Administrator Dashboard, where they configure and maintain the end-user account provisioning and deprovisioning as well as many other aspects of the overall end-user experience.
agent: A lightweight software program that runs as a service outside of Okta. Agents are typically installed behind a firewall and allow Okta to communicate between an on-premises service and the Okta cloud service.
app: An application. For Okta purposes, apps are web-based services that provide any number of specific tasks that require user authentication.
client: Anything that interacts with the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin.
cloud computing: Apps and services offered over the internet from data centers all over the world, which are referred to collectively as "the cloud."
community created: Category for an app that was created by the Okta community but hasn't been tested and verified by Okta.
community verified: Category for an app that was created by the Okta community and has shown some evidence of quality or reliability, such as active usage or multiple users. However, Okta has not tested it and does not support it.
downstream application: An application that receives data from Okta.
group: Categories of users. Groups allow admins to assign apps to large sets of end users more easily.
identity provider (IdP): A service that manages user accounts. IdPs send SAML responses to service providers to authenticate end users for Single Sign-On.
IdP-initiated flow: SAML authentication initiated by the Identity Provider (IdP). In this flow, the IdP initiates a SAML Response that is redirected to the Service Provider and asserts the user's identity. In Okta, the process is triggered after a user clicks an app icon for a SAML application.
independent software vendor (ISV): Okta partners with various ISVs (usually those producing enterprise apps) to integrate on-premises, in the cloud, or native-to-mobile devices with Okta.
Okta Integration Network (OIN): An on-demand service comprised of thousands of pre-integrated business and consumer applications.
Okta-verified: In the Okta Integration Network (OIN), this status means that the integration was built, tested, and verified by Okta, or it was built by a partner, and then tested and verified by Okta.
Okta Mobility Management (OMM): A service that enables admins to manage work-related apps and data on their users' mobile devices. Users must enroll in the service to download managed apps.
org: The Okta container that represents a real-world organization.
organizational unit (OU): Active Directory containers for users, groups, computers, or organizational units. OUs are the smallest units to which you can assign Group Policy settings or delegate administrative authority.
profile source: An application that acts as a source of truth for user profile attributes. A user can be sourced by only one application or directory at a time.
Security Assertion Markup Language (SAML): An open standard that verifies identity and offers authentication by exchanging data between an identity provider and a service provider.
service provider (SP): In Okta, the service provider is any website that accepts SAML responses as a way of signing in users. Service providers redirect a user to an identity provider (Okta) to begin the authentication process.
SP-initiated SSO: Service Provider-initiated Single Sign-On. SAML authentication that is initiated by the Service Provider (SP). This is triggered when the end user tries to access a resource in the Service provider or sign in directly to the Service Provider.
Single Sign-On (SSO): SSO platforms allow users to enter one name and password to access multiple applications. Okta provides a seamless SSO experience across PCs, laptops, tablets, and smartphones, for applications both behind the firewall and in the cloud.
Secure Web Authentication (SWA): An SSO integration method developed by Okta for apps that don't support SAML or proprietary federated sign-in methods. When a user accesses a SWA app from their Okta homepage, Okta posts their stored, encrypted credentials to the app sign-in page.
scope: An indication by the client that it wants to access a resource.
Assertion Consumer Service (ACS) URL: This is the endpoint where SAML responses are posted and must be provided by the SP to the identity provider. It is often referred to as the service provider (SP) sign-in URL.
single logout: A logout method in which a SAML service provider sends a logout request to the Identity Provider, and both the Identity Provider and Service Provider's current sessions close. Okta only supports SP-initiated logout.
force authentication: An administrative option that requires users to re-authenticate through their Identity Provider when trying to access an app. Users must re-authenticate even if they have an active session.
deep linking: Allows users to directly access parts of an application. If it is supported, users can navigate to a deep link and authenticate to an application using SP-initiated SAML SSO. After authentication, the user will be redirected to a specific page in the SP instead of the homepage.
domain: An attribute of an Okta organization. Okta uses a fully qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.) but doesn't include the protocol (https).
Schema Discovery: A process in which Okta identifies attributes in an app profile that can be added to the Okta user profile.
identifier-first: A method of authentication that presents only a Username field on the sign-in page. Okta uses identifier-first authentication to determine which IdP to use for completing the sign-in.
Early Access: Opt-in features that you can try out in your org by asking Okta Support to enable them. Super admins can also enable or disable selected EA features in the Okta Admin Console.
Generally Available: Describes features that are available to all orgs depending on each customer's SKU.
mobile application management (MAM): Software and services that control access to mobile business apps. MAM works on company and personal devices.
Active Directory (AD): An on-premises user account management service for Microsoft Windows domain networks.
Universal Directory: The Okta user directory that stores an unlimited number of users and all types of attributes. All applications in the Okta Integration Network can access the Universal Directory using LDAP or API.
Create, Read, Update, Deactivate (CRUD): Common database operations that are used in Okta to manage users in the Okta Universal Directory. Note that Okta uses "deactivate" and not "delete".
profile sourcing: A read/import method that defines the flow and maintenance of user-object attributes and their lifecycle state. When an Okta user's profile is sourced by an application or directory, the Okta profile attributes and lifecycle state are derived exclusively from that resource. The profile isn't editable in Okta.
provisioning: The enterprise-wide process of granting access to the software and services that your users require, as well as the configuration, deployment, and management of those resources.
inbound SAML: Allows users from external Identity Providers to single sign-on (SSO) to Okta.
Preview sandbox: A sandbox environment that provides complete access to a fully functioning version of Okta. A Preview org allows you to test features before pushing them to your users.
upstream: Network traffic from a directory or app to Okta.
System for Cross-domain Identity Management (SCIM): An open standard that allows for the automation of user provisioning. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers (such as enterprise SaaS apps).
downstream: Indicates the direction of network traffic. For example, after a user account is created in the Okta Universal Directory, the account information and further updates are pushed downstream to a target application.
authentication: A sign-in process that verifies the identity of any entity requesting access to a web site or service. Entities may include a person or an automated user agent such as an API request.
Lightweight Directory Access Protocol (LDAP): A lightweight client-server protocol that is used to access X.500-based directory services. LDAP runs over Transmission Control Protocol/Internet Protocol (TCP/IP) or other connection-oriented transfer services.
Just-In-Time (JIT) provisioning: A SAML-based method of creating a user's account the first time that they sign in. Variations of JIT can modify users who have been created in advance and imported into Okta. In these scenarios, users in either a staged or deactivated state are activated the first time that they sign in.
OpenID Connect (OIDC): An authentication layer on top of OAuth 2.0 (an authorization framework). The OIDC standard is controlled by the OpenID Foundation.
sourcing: The process of defining the flow and maintenance of user object attributes. Sourcing can be applied at the full profile level or at the attribute level. Okta-sourced means that edits made in the Okta profile then flow to all related applications. App-sourced means that edits made in a user's application profile (like Active Directory) flow to the Okta profile.
IdP-initiated SSO: Identity Provider-initiated Single Sign-On. A single sign-on operation that was started from the IdP Security Domain. The IdP federation server creates a federation SSO response and redirects the user to the SP with the response message and an optional operational state.
AWS CloudFormation: Provides a common language for describing and provisioning all of the infrastructure resources in an AWS cloud environment. CloudFormation allows admins to use a simple text file to securely model and provision all resources needed for applications across all regions and accounts.
software appliance: A configurable appliance that is run on VMWare, VMWare vSphere, AWS, or similar systems. Access Gateway is a preconfigured, downloadable VM image that can be configured for client infrastructures.
cluster: A group of computer instances (physical or virtual) within a given infrastructure used together for a single purpose.
fully qualified domain name (FQDN): The complete URL for an internet site, including the tranfer protocol (http/https).
Kerberos: A computer-network authentication protocol that enables nodes to securely prove their identities over a non-secure network.
engine x (NGINX): A web server that can be used as a reverse proxy, load balancer, mail proxy, or HTTP cache.
network interface card (NIC) bonding: The combination of two ethernet ports into a bonded virtual port to prevent traffic from saturating a single network connection.
instance: An occurrence of a software appliance or other resource hosted on a physical or virtual machine.
upstream application: A provisioning application that provides data to Okta.
linked user: A user is linked to a device record in Okta in either of the following ways: (1) when the user establishes an Okta session from the device and provides Okta the device identity during the session; (2) through the Okta API.
on-premises provisioning agent: A lightweight agent that runs on Linux (CentOS or RHEL) or Windows (x86/x64) server and sits behind a firewall. The on-premesis provisioning agent gets provisioning instructions from Okta and sends SCIM messages to the appropriate SCIM endpoint or connector.
SCIM server: An end point that can process SCIM messages sent by the provisioning agent. This end point can be an application that natively supports SCIM or a SCIM connector that acts as an intermediary between the provisioning agent and the on-prem application.
secret key: An Okta-generated string of characters that allows end users to enroll their mobile devices in Okta Verify without scanning a QR code.
end users: People in an org who don't have administrative control. They can authenticate in to apps from the icons on their My Applications homepage, but their accounts are managed by admins.
end-of-life (EOL): Deprecated features that are no longer available in the Admin Console.
Deprecated: A lifecycle state for features that are no longer actively supported. Deprecated features can't be assigned to an org.
multifactor authentication (MFA): An added layer of security used to verify an end user's identity when they sign in to an app.
time-based one-time password (TOTP): TOTP is a form of multifactor authentication in which a unique code is generated from a secret key and the current time. The code is sent to the user, who inputs it into a sign-in form along with their username and password. In addition, the code expires and becomes unusable after 30 or 60 seconds, depending on how the TOTP generator is configured.
agentless Desktop Single sign-On (ADSSO): When this functionality is enabled, users are automatically authenticated by Okta when they sign in to a Windows network. Users only need to sign in a single time and don't need separate credentials for each application they access through Okta.
Okta FastPass: Passwordless authentication to any SAML, WS-Fed, OIDC app in Okta on Windows, iOS, Android, MacOS.
out-of-band (OOB): Signals sent between two endpoints using a method that is different from that of the primary communication between the two endpoints. When referencing Okta Verify, out-of-band references manual device enrollment using a sign-in URL.
proof-of-possession (PoP): A verification process that assures that the owner of a key pair actually has the private key associated with the public key.
mutual Transport Layer Security (mTLS): A cryptographic protocol that ensures two-way authentication.
managed device: A device that is controlled by your chosen device management solution, configured in Security > Device integrations, and is registered and enrolled in Okta Verify.
not managed (device): A device that is registered or enrolled in Okta Verify but is either not managed by your chosen Device Management solution or is not configured for Device Management in Security > Device integrations.
Okta Access Gateway (OAG): A reverse proxy based virtual application, designed to secure web applications that don't natively support SAML or OIDC. Okta Access Gateway integrates with legacy applications using HTTP headers and Kerberos tokens, and offers URL-based authorization and more.
device registration: The process of binding a user to the Okta Verify app instance on the device.
registered device: A device through which a user is bound to Okta Verify. Each registered device is a unique object in the Okta Universal Directory.
user verification: The process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in Okta and associated with the identity being claimed. In Okta, user verification also refers to when a user is prompted to provide biometric or security key verification, such as when using the FIDO2 (WebAuthn) authenticator or Okta FastPass. (term partially adapted from National Institute of Standards and Technology, U.S. Department of Commerce)
device enrollment: The process of adding a user account to Okta Verify.
inline enrollment: The process of adding a user account to Okta Verify by accessing an app through your org.
Identity and Access Management (IAM): The process of codifying not only users and groups in a software system, but also what resources they are each able to access and what functions they are each able to perform. IAM addresses authentication, authorization, and access control.
Customer Identity Access Management (CIAM): A software solution that allows an organization to control customer access to applications; determine customer identity by linking with databases, online profiles, and other available information; and securely capture and manage customer profile information.
Authenticator Assurance Level (AAL): An industry-standard categorization for ranking the strength of the authentication process. There are three levels: AAL1 (low), AAL2 (high), and AAL3 (very high).
Trusted Platform Module (TPM): A microchip that is built into most desktop and mobile devices. It is designed to provide tamper-resistant security functions, primarily involving encryption keys.
Public Key Infrastructure (PKI): A set of tools and policies used to create and maintain digital certificates and certificate chains.
Federal Information Processing Standards (FIPS): A benchmark and certification program for cryptographic modules.
Integrated Windows Authentication (IWA): Allows users to be automatically authenticated by Okta and any apps accessed through Okta, whenever they sign in to a Windows network. Okta is no longer adding new IWA functionality and offers only limited support and bug fixes.
certificate authority (CA): An issuer of digital certificates that confirm ownership of a public key.
Certificate Revocation List (CRL): An index of digital certificates that have been revoked or marked invalid before their expiration date. Digital certificates on the CRL should not be trusted.
Simple Certificate Enrollment Protocol (SCEP): An automatic enrollment process for issuing digital certificates to devices through a URL.
one-time password (OTP): A type of multifactor authentication in which an end user receives a secret code by text message or voice call, or through an authenticator app, such as Google Authenticator. The user inputs this code when signing in, in addition to their password.
Sign-In Widget: The Okta Sign-In Widget is a Javascript widget that provides a fully featured and customizable sign-in experience which can be used to authenticate users of web and mobile applications.
user verification: A method for end users to confirm their identity. For example, biometrics.
Uniform Resource Identifier (URI): A unique sequence of characters used to identify a specific resource such as a web page, book, or a document. Unlike a URL, it doesn't include location information (https://).
sign in: Securely access an app with a set of user credentials. Synonyms include sign on (as in Single Sign-On or sign-on policy) and login.
claim: A statement about a subject (user) contained in OAuth2 security tokens. For example, a claim can be about a name, identity, key, group, or privilege. The claims in a security token are dependent upon the type of token, the type of credential used to authenticate the user, and the application configuration.
Aerial org: An org that holds the authorization server for all Aerial API actions in any org in the Aerial account. Choose one org to permanently serve as the Aerial org. Super admins can create API clients in the Aerial org to access the Aerial account. The Aerial org also contains all System Log events associated with Okta Aerial actions.
Aerial account: The management layer around multiple orgs within Okta. The Aerial account lives outside of your orgs and can manage any production or preview org linked to the Aerial account.
product: An Okta-determined set of features.
feature: A distinct piece of functionality. Features are bundled within products but may also be offered separately, for example, Early Access features.
Relying Party Identifier (RPID): The Relying Party receives the SAML assertion from an IdP.
Shared Signals Framework (SSF): An Identity Threat Protection feature that allows orgs to receive risk signals from third-party security providers.
Universal Logout: An Identity Threat Protection feature that terminates user sessions for supported apps in response to identity-based threats.
self-service registration (SSR): A process that lets users in your org create their own accounts. In Identity Engine, this is accomplished through the profile enrollment policy.
self-service password reset (SSPR): A feature that enables users to reset their own passwords without the assistance of an admin or help desk personnel. You can configure this feature in the password policy or the Okta account management policy.
resource: An object (like an app, user, or group) that can be managed, secured, or accessed in an Okta org.
Admin Console: A centralized interface that allows admins to manage and configure their Okta environment.
Admin Dashboard: The first page that admins see when they sign in to Okta. It summarizes org usage and activity and notifies you of any problems or oustanding work to be completed.
inline hooks: Outbound calls from Okta to your service at specific points in Okta process flows. They provide integration of custom functionality into those flows.
End-User Dashboard: A platform that gives end users access to their assigned enterprise apps.
event hooks: Outbound calls from Okta that trigger process flows within your own service. They're sent when specific events occur in your org, and they deliver information about the event.
ThreatInsight: A security feature that aggregates data about sign-in activity across the Okta customer base to detect potentially malicious IP addresses and prevent credential-based attacks.
enhanced dynamic zone: A security feature that allows admins to define network perimeters based on IP address characteristics like location, IP service category, and Autonomous System Numbers (ASNs).
device behavior: Defines policies on changes in the end user's device when the sign in to an org.
IP behavior: Defines policies based on changes in the end user's IP address when they sign in to an org.
location behavior: Defines policies based on changes in the end user's geographical location when they sign in to an org.
dynamic zone: A zone with defined network perimeters based on location, IP address type, and autonomous system number (ASN).
IP zone: A network zone that allows admins to define security perimeters around a set of IP addresses. They are used to restrict or limit access to devices and computers in an org based on the IP address of the request.
velocity behavior: A behavior that's used to define policies based on changes in the end user's geographical location using two subsequent sign-in attempts.
Okta Browser Plugin: A plugin that lets you use SSO apps that require user credentials but don't support the SAML.
Okta Personal: Okta's consumer password manager. It enables users to see all of their apps in one place, and securely store, save, generate, and autofill passwords.
risk: The probability of compromise, classified into a level of low, medium, or high. In Adaptive Multifactor Authentication, risk is calculated at the point of authentication (login risk). With Identity Threat Protection, Okta introduces the concept of session risk, evaluating every request post-authentication.
Identity Threat Protection (ITP): An Identity Threat Detection & Response (ITDR) platform that continuously evaluates users and their sessions, receiving risk signals through the Okta risk engine and through security events providers. It combines current identity security solutions like ThreatInsight, Behavior Detection, and risk-based authentication to provide complete identity protection.
mobile device management (MDM): A solution that allows companies to secure and manage both personal and corporate-owned mobile devices such as laptops, phones, and tablets. IT departments can use MDM for security compliance (data encryption, policy enforcement), remote configuration and troubleshooting, and inventory (device tracking).
Device Trust: An Okta access management solution that protects sensitive corporate resources by only allowing users to access Okta-protected apps from trusted devices.
Okta Verify: A multifactor authentication (MFA) app that allows users to securely sign in to their Okta account and other resources protected by Okta. Users can also authenticate with Okta Verify when they access non-Okta sites that require MFA such as GitHub, Facebook, or Google.
Okta Verify: An authenticator app that allows users to securely sign in to their Okta account and other resources protected by Okta. Users can also authenticate with Okta Verify when they access non-Okta sites that require authentication such as GitHub, Facebook, or Google.
hub-and-spoke: An Okta architecture model for merger and acquisition scenarios. If your organization acquires another company, and the company you acquired uses Okta, you can set up a hub-and-spoke environment and sync users and groups with the Okta Org2Org app. This approach enables employees from the acquired company to immediately access resources in the parent org.
realm: A feature that enables efficient management of user populations within a single organization, letting you delegate the administration of users and groups to external collaborators or business units. With realms, you can partition users in the Universal Directory while allowing them to share resources. Each realm consists of users stored and managed separately within an Okta org.
profile push: A feature that lets you select which attributes are pushed from Okta to an app when a provisioning event occurs. It's undirectional and data can only be pushed from Okta to the target app.
claims sharing: The exchange of identity-related information (claims) between different orgs to enable secure access to resources.
security events provider: A third-party vendor that supports Shared Signals Framework (SSF) and with whom Okta has partnered to exchange security-related events.
Continuous Access Evaluation Profile (CAEP): As part of the Shared Signals Framework, CAEP enables orgs to make real-time access decisions based on changes in user context or assurance.
Organizational Unit (OU): A container within Active Directory (AD) that organizes AD resources like users, groups, and devices. It enables the delegation of administrative control and organizes data into smaller segments so you can perform detailed admin tasks.
first-party app: An app created by Okta that serves as a component of the Okta product interface. Examples include the Okta Admin Console, Okta End-User Dashboard, and Okta End-User Settings. Okta communicates with these apps using OIDC for Single Sign-On transactions.
security event: Any observable occurrence within a system or network that's relevant to security. It's a change or activity that can indicate a potential security risk, a policy violation, or an ongoing attack.
access control: Grants or denies individual requests to view or update a restricted resource. Access is based on the resource, the nature of the request, whether the user is authenticated, the user's authorization, relevant policies, and other data.
authorization: Processes and services that define what resources a user is allowed to access and what functions they're allowed to perform. Authorization is part of access control.
entitlement management: A technology that controls access to resources. It grants, enforces, and revokes access rights, also known as permissions, privileges, or authorizations. It manages either coarse-grained or fine-grained entitlements across various IT platforms, apps, and devices.
federation: A group of service providers who agree on standards for sharing identity information among multiple entities and across trust domains. These tools and standards permit identity attributes to be transferred from one trusted identifying and authenticating entity to another for authentication, authorization, and other purposes. This provides SSO convenience to identified individuals and identity providers.
Federal Identity Management (FIM): A strategy for linking user identities across federated identity providers (IdPs). It provides an SSO capability for these IdPs and has the same benefits as SSO, but applies across domain boundaries to customers, partners, and social networks. It allows users to access your apps with their existing external sign-in IDs.
role: An attribute that's assigned to a user. It grants them a specific set of access privileges. Everyone who holds a given role has the privileges that are associated with the role.
workforce identity: An IAM model for managing employee and contractor access to your org's apps and resources. Its goal is to manage risk.
WS-Federation (WS-Fed): An XML-based protocol used for SSO. It's used to sign in to legacy Windows-based web apps and Microsoft Office 365, where Okta acts as an authorization server or identity provider.