The Okta Visualization Bible V2

Complete Platform Architecture · Visual Data Flows · Best-Practice Auth Patterns · AI/NHI · Zero Trust · Threat Mapping · Compliance

Okta Platform 2025/26 Workforce Identity Cloud Customer Identity Cloud Okta for AI Agents ISPM Non-Human Identity Zero Trust Identity Security Fabric

Okta Platform Architecture Overview

The Identity Security Fabric — unified control plane for human, machine, and AI identities

Okta operates as a "Sovereign Identity Plane" — a vendor-neutral cloud identity platform that sits between your authoritative sources (HR, AD, LDAP) and your downstream applications (8,200+ in the OIN). It is architected as a layered fabric: Universal Directory masters identity data, the access policy engine evaluates every authentication request against risk signals, lifecycle management automates JML provisioning, and governance + privileged access enforce least privilege. Since 2025, this fabric now extends to non-human identities (service accounts, API keys, AI agents) with the same visibility and governance as human users.
Platform Core
Workforce (WIC)
Customer (CIC/Auth0)
AI Agent Security
ISPM
Governance
Privileged Access
Identity Security Fabric (Platform Core)
Universal Directory · OIN 8,200+ · Lifecycle · Workflows · System Log · Agents
CONTROL PLANE
Universal Directory
Centralized identity store mastering profiles from HR (Workday, UKG), AD/LDAP, and other sources. Single source of truth for all identity types.
SCIM 2.0Profile MasterCustom Schema
Okta Integration Network
8,200+ pre-built integrations. SAML 2.0, OIDC, SCIM, SWA, and API connectors. Now includes AI agent platform integrations (Agentforce, Copilot Studio, Vertex AI).
8,200+ AppsSAMLOIDCSCIM
Lifecycle Management
Automated Joiner-Mover-Leaver orchestration. HR-driven provisioning/de-provisioning to all connected apps. Zero manual IT tickets.
JMLAuto-ProvisionDeprovision
Okta Workflows
No-code/low-code identity automation. 80+ connector cards. Event hooks for custom triggers. Integrates with ISPM for auto-remediation.
No-Code80+ ConnectorsEvent Hooks
System Log & Event Hooks
Real-time audit trail. Event hooks push on state changes. Log streaming to SIEM (Splunk, Sentinel, Sumo Logic).
Real-timeSIEMCEF
Okta Agents
Lightweight agents bridging on-prem AD, LDAP, RADIUS to cloud. 3-click ISPM integration for AD posture visibility.
AD AgentLDAPRADIUS
Identity data flows down
Workforce Identity Cloud (WIC)
SSO · Adaptive MFA · FastPass · Device Trust · OIG · OPA
EMPLOYEE + PARTNER
Single Sign-On (SSO)
SAML 2.0, OIDC, WS-Fed. Custom sign-in pages. Hub-and-spoke multi-org. Session management.
SAMLOIDCWS-Fed
Adaptive MFA
Risk-based step-up evaluating device, network, location, behavior. Okta Verify, WebAuthn/FIDO2, SMS, email, third-party factors.
Risk EngineOkta VerifyFIDO2
FastPass (Passwordless)
Phishing-resistant passwordless via device-bound keys + biometric. Zero-factor login for managed devices.
PasswordlessDevice BoundPhishing Resistant
Device Trust & Assurance
MDM/UEM posture, OS version, encryption, firewall, jailbreak. CrowdStrike, Jamf, Intune signals.
MDMEDRZero Trust
Identity Governance (OIG)
Access requests, certifications, entitlement management, SoD. Terraform-managed. NHI cert campaigns in 2026.
ReviewsEntitlementsSoDTerraform
Privileged Access (OPA)
JIT elevation, credential vaulting, SSH/RDP gateway, session recording. Extending to NHI workload identity in 2026.
JITVaultSession RecordNHI
Customer Identity Cloud (Auth0)
Universal Login · Actions · FGA · Organizations · Bot Detection · Verifiable Credentials
CUSTOMER + DEVELOPER
Universal Login
Customizable login. Social connections (Google, Apple, Facebook). Passkeys. Progressive profiling.
SocialPasskeysProgressive
Auth0 Actions
Serverless JS hooks at login, registration, token exchange, password reset. Custom logic without infrastructure.
ServerlessPre/Post LoginM2M
Fine-Grained Auth (FGA)
OpenFGA-based ReBAC. Google Zanzibar-inspired tuples for app-level permissions.
OpenFGAReBACZanzibar
Bot Detection & Fraud
AI-powered credential stuffing defense, brute force protection, deepfake detection. Adaptive risk scoring.
AI FraudDeepfakeCredential Guard
Organizations (B2B)
Multi-tenant B2B. Per-org branding, connections, MFA policies. Enterprise federation per org.
Multi-TenantB2BEnterprise Fed
Verifiable Credentials
Issue and verify tamper-proof digital credentials. Cryptographic proof of identity claims. Anti-deepfake.
W3C VCAnti-FraudDigital Trust
AI Agent & Non-Human Identity Security
Okta for AI Agents · XAA · Agent Discovery · NHI Lifecycle · Service Accounts API
GA APRIL 2026
Okta for AI Agents
End-to-end lifecycle: discover, register, authorize, govern, monitor. Agents as first-class identities in the security fabric. GA April 2026.
GA Apr 2026First-Class Identity
Cross App Access (XAA)
Open protocol for secure agent-to-app access. Delegated OAuth 2.0 with scoped, time-bound tokens. Vendor-neutral.
Open StandardOAuth 2.0Time-Bound
Agent Discovery (ISPM)
Browser plugin captures OAuth consents. Maps shadow AI agents and blast radius. Expanding to Copilot Studio + Agentforce.
Shadow AIOAuth MonitorEA
NHI Unified View
Single pane: service accounts, API keys, tokens, bots, AI agents across SaaS, IaaS, IdP, AD. Risk scoring + ownership.
Service AcctsAPI KeysTokens
Service Accounts API
New API for OPA-enabled orgs. Programmatic NHI creation, rotation, decommission with full audit trail.
REST APIRotationOPA
Agent OIN Integrations
Dedicated OIN support for Salesforce Agentforce, Microsoft Copilot Studio, Google Vertex AI, Boomi, DataRobot.
AgentforceCopilotVertex
Identity Security Posture Management (ISPM)
Continuous Risk · Misconfiguration Detection · AD Integration · Shadow AI · Auto-Remediation
OBSERVABILITY
Continuous Assessment
Agentless integration with IdPs, SaaS, IaaS. Detects MFA bypass, SSO exceptions, orphaned accounts, over-provisioning. 300+ SCIM app support.
AgentlessContinuous300+ Apps
User & Org Graph
Visual graph of auth flows, group hierarchies, permission paths. Surfaces hidden SSO providers and nested AD group analysis.
Graph ViewAuth FlowsAD Nested
AD Integration
Uses existing Okta AD Agent. 3-click setup. Discovers service accounts, maps nested groups, hybrid visibility.
3-ClickHybridEA
Issue Detection
Admin MFA not enforced, stale admins, SSO bypass, shadow IdPs, shared agent credentials. Workflow templates for auto-fix.
Risk PriorityAuto-RemediateWorkflows
Shadow AI Discovery
Browser plugin detects OAuth grants to AI tools. Maps client→resource app relationships. Alerts on unknown agents with critical data access.
OAuth MonitorBrowser Plugin
Reporting
Exportable reports by segment, role, group. Compliance evidence for SOX, SOC2, GDPR, NIS2, DORA audits.
SOXSOC2GDPRExport

End-to-End Identity Data Flows

Visual flows showing how identity data moves through the Okta platform from source to access

HR-to-App provisioning flow: Identity data originates in authoritative sources (Workday, AD, LDAP, CSV, SCIM) and flows into Universal Directory where profiles are mastered with attribute-level sourcing. The group rules engine auto-assigns users to groups based on department, role, or custom attributes. Lifecycle management then SCIM-provisions accounts to all 8,200+ downstream apps. Meanwhile, the access policy layer (sign-on policies, risk engine, device trust, ThreatInsight) evaluates every authentication. Everything feeds into the observability stack (system log, ISPM, OIG, OPA, SIEM export) for continuous governance.
HR → Directory → Policy → Apps → Observability
Full identity pipeline from authoritative source to application access
Workday
HR source
Active Directory
On-prem IdP
LDAP
Directory
CSV / API
Bulk import
▼ ▼ ▼ ▼
Universal Directory — Profile Mastering + Custom Schema
Single source of truth. Attribute-level sourcing from multiple authorities.
Group Rules
Auto-assign by dept, role, custom attrs
Lifecycle Mgmt
JML automation to all apps
Workflows
Custom no-code automation
Sign-On Policy
Auth rules per app
Risk Engine
Adaptive MFA trigger
Device Trust
MDM + EDR signals
ThreatInsight
IP reputation
▼ SCIM Provisioning ▼
Salesforce
Slack
Jira
GitHub
AWS
8,200+
System Log
Full audit trail
ISPM
Posture monitoring
OIG
Access reviews
OPA
Privileged access
SIEM
Splunk / Sentinel
CRUD operation flow (AI agent orchestrated): A natural language request enters via chat, Slack, or API → the agent classifies the intent and extracts entities → builds an execution DAG with rollback chain → the policy engine (OPA) evaluates RBAC, SoD, and blast radius → if LOW risk, auto-approved; if HIGH risk, routes to human-in-the-looppre-flight validation checks for duplicates and license availability → API calls execute against Okta (and optionally Entra in dual-write mode) → read-back verification confirms success → correlation store links IDs → response returned → full audit trail + OTEL metrics + SIEM export + scheduled reconciliation at T+5min.
AI Agent CRUD Operation Flow
Natural language → intent → DAG → policy → execute → verify → audit
1. Request Intake
"Create user mailto:jdoe@corp.com in Engineering with Jira + GitHub" — via chat, Slack, API, or ServiceNow webhook.
2. Intent Classification (LLM)
Extracts: intent=CREATE_USER, entities=[user profile, group=Engineering, apps=[Jira, GitHub]]. Confidence: 0.96. RAG lookup enriches with org defaults.
3. Execution DAG
4-node plan: (1) POST /users → (2) PUT /groups/{gid}/users → (3a) PUT /apps/jira/users ∥ (3b) PUT /apps/github/users. Rollback chain + idempotency keys generated.
4. OPA Policy Gate
RBAC + SoD + blast radius. Single user = LOW risk → auto-approved. Batch >50 → HITL approval via Slack.
5. Pre-Flight Validation
User exists check? Group at capacity? App licenses available? All clear → proceed.
▼ Execute ▼
6a. Okta API Calls
POST /api/v1/users → 201. PUT /groups → 204. PUT /apps × 2 → 200. Sequential + parallel execution.
6b. Entra Shadow Sync
If dual-write: POST /v1.0/$batch — user + group + apps. Schema mapped via canonical model. ImmutableId correlation stored.
7. Read-Back Verification
GET users → ACTIVE ✓. GET groups → membership confirmed ✓. App assignments verified ✓.
8. Audit + Reconcile
Full operation logged. OTEL metrics emitted. SIEM forwarded. Drift check scheduled at T+5min.

Best-Practice Authentication Patterns

Visual step-by-step flows for every major authentication mechanism

SAML 2.0 SP-Initiated SSO — the bread-and-butter of Okta workforce SSO. The user hits the app, the SP generates an AuthnRequest redirect to Okta, Okta evaluates the sign-on policy (risk engine + device trust), challenges with MFA if policy requires it, then posts back the signed SAML assertion for the SP to validate and create a session.
SAML 2.0 SP-Initiated SSO
8-step flow: User → SP → Okta (IdP) → MFA → Assertion → Session
MOST COMMON
1. User accesses app
Browser navigates to SP-protected resource.
2. SP AuthnRequest
SP generates SAML AuthnRequest, redirects browser to Okta /sso/saml endpoint.
3. Sign-on policy
Okta evaluates risk: device, network, location, behavior signals.
4. User authenticates
Okta Sign-In Widget. Password, FastPass, or passwordless.
5. MFA challenge
If policy requires: Okta Verify push, FIDO2, SMS, etc.
6. SAML response
Signed SAML assertion with claims. POST to SP ACS URL.
7. SP validates assertion
Verifies XML signature, checks issuer, audience, timestamps, and claim values.
8. Session created — access granted
SP creates local session. User has authenticated access. Session lifetime governed by Okta global session policy.
OAuth 2.0 + PKCE — the recommended pattern for SPAs and mobile apps. The app generates a code_verifier, hashes it to a code_challenge (S256), sends the challenge with the /authorize request. Okta authenticates the user and returns an auth code. The app exchanges the code + original verifier at /token. Okta validates by re-hashing the verifier to confirm it matches. This prevents authorization code interception attacks.
OAuth 2.0 Authorization Code + PKCE
Best practice for SPA/mobile: code_verifier → challenge → exchange → tokens
RECOMMENDED
1. Generate PKCE pair
App creates random code_verifier (43-128 chars) and computes code_challenge = BASE64URL(SHA256(verifier))
2. /authorize + challenge
GET /authorize?response_type=code&code_challenge={hash}&code_challenge_method=S256
3. Login + MFA
Okta Sign-In Widget. User authenticates with configured factors per sign-on policy.
4. Redirect + auth code
Okta redirects to callback URL with one-time authorization code.
5. POST /token
App sends code + original code_verifier to Okta token endpoint.
6. Validate PKCE
Okta computes SHA256(verifier), compares to stored challenge. Match = legitimate client.
7. Tokens issued
Access token + ID token + refresh token. App validates ID token signature and claims.
FastPass + Passkey (Passwordless) — phishing-resistant because the private key never leaves the device. The user opens the app, Okta detects the enrolled device-bound key, challenges Okta Verify, biometrics (Touch ID / Face ID) unlock the key, the device signs the cryptographic challenge, Okta verifies the signature and evaluates device posture (MDM + EDR), then issues tokens. Zero passwords at any step.
FastPass + Passkey Passwordless
Phishing-resistant: device-bound key + biometric + posture check
PHISHING PROOF
1. Open app
User clicks login. SSO redirect to Okta.
2. Detect FastPass
Okta detects registered device-bound key. Sends cryptographic challenge to Okta Verify.
3. Biometric prompt
Okta Verify prompts Touch ID / Face ID / Windows Hello to unlock private key.
4. Sign challenge
Device private key signs the challenge. Key never leaves the secure enclave.
5. Verify + posture
Okta verifies signature with stored public key. Evaluates MDM compliance, OS version, EDR signals.
6. Token issued
SAML assertion or OIDC tokens issued. Zero passwords used. Phishing-resistant, device-bound.
Cross App Access (XAA) — AI Agent Authorization — the emerging standard for how AI agents securely connect to applications. A human delegates a task → the agent requests scoped access via XAA → Okta verifies the agent is a registered identity → applies least-privilege, time-bound policy → issues a delegated OAuth 2.0 token → agent calls the target app API with the bearer token → full audit trail logged in ISPM + OIG + system log.
XAA — AI Agent Authorization
Delegated OAuth 2.0: human → agent → scoped token → target app → audit
EMERGING STANDARD
1. Human delegates task
User tells agent to perform an action (e.g., "update CRM record for deal X").
2. Request scoped access
Agent sends XAA token request to Okta with required scopes and target app.
3. Verify agent identity
Okta confirms agent is registered in Universal Directory with valid ownership.
4. Apply least privilege
Policy enforced: only requested scopes granted. Token time-bound (minutes, not days).
5. Agent calls target app
Bearer token in Authorization header. Only permitted actions within scoped access.
6. Audit trail
Full operation logged in ISPM + OIG + system log. Drift detection. Compliance evidence.

Zero Trust Architecture with Okta

How Okta components compose into a complete Zero Trust security posture

Zero Trust principle: "Never trust, always verify." Okta implements this across five pillars: Identity verification (Adaptive MFA, FastPass), Device assurance (MDM/EDR signals), Network context (ThreatInsight IP reputation), Application access (sign-on policies per app), and Continuous monitoring (ISPM, system log, OIG). Every authentication is evaluated in real-time — there are no trusted zones.
Zero Trust — Five Pillars Mapped to Okta
1. Identity Verification
Every user/agent authenticates every session. Adaptive MFA evaluates risk. FastPass provides phishing-resistant verification. No implicit trust from prior sessions.
Adaptive MFAFastPassRisk Engine
2. Device Assurance
Device posture evaluated before access: MDM enrollment, OS patch level, disk encryption, firewall, jailbreak detection. CrowdStrike/Jamf/Intune signals integrated.
Device TrustMDMEDR
3. Network Context
ThreatInsight evaluates IP reputation, detects credential stuffing, proactive lockout. Network zones define trusted/untrusted perimeters for policy evaluation.
ThreatInsightNetwork ZonesIP Rep
4. App-Level Access Control
Per-application sign-on policies. Different MFA requirements per app sensitivity. API access management with custom authorization servers, scopes, and claims.
Per-App PolicyCustom Auth ServersScopes
5. Continuous Monitoring
ISPM continuously validates posture. OIG certifies access quarterly. System log streams to SIEM. Anomaly detection via behavior analytics. No "set and forget."
ISPMOIGSIEMContinuous
6. Least Privilege (NHI)
OPA enforces JIT elevation for admin access. XAA provides time-bound scoped tokens for AI agents. OIG certifies NHI entitlements. ISPM detects over-provisioning.
JITXAAOIG CertISPM

Threat Landscape → Okta Defense Mapping

Common identity attack vectors and which Okta capability defends against each

Threat VectorAttack DescriptionOkta DefenseProduct(s)
Credential stuffingAutomated login attempts with stolen credential databasesIP reputation + rate limiting + bot detection + breached password detectionThreatInsight + CIC Bot Detection + Credential Guard
Phishing / AiTMFake login pages intercepting credentials and session tokensPhishing-resistant passwordless (device-bound keys can't be phished)FastPass + WebAuthn/FIDO2 + Passkeys
MFA fatigue / push bombingRepeated push notifications until user accidentally approvesNumber matching on push notifications. Rate limiting on factor challenges.Okta Verify (number matching) + Sign-On Policy
Deepfake impersonationAI-generated video/voice to impersonate users for identity verificationVerifiable credentials with cryptographic proof. Biometric liveness detection.CIC Verifiable Credentials + Bot Detection
Orphaned / stale accountsFormer employees retaining access after offboardingAutomated de-provisioning on HR termination event. ISPM detects stale accounts.Lifecycle Mgmt + ISPM + OIG Certifications
Over-provisioned accessUsers accumulating permissions over time (entitlement creep)Access certification campaigns. Usage-based recommendations. Entitlement analytics.OIG + ISPM + Least Privilege Recommendations
Privilege escalationAttackers gaining admin access via compromised lower-privilege accountJIT elevation with time-bound access. Session recording. Admin MFA enforcement.OPA + Sign-On Policy + ISPM (admin MFA detection)
Shadow AI agentsEmployees granting OAuth access to unsanctioned AI toolsBrowser plugin detects OAuth consents. Maps agent blast radius. Alert + remediation.ISPM Agent Discovery + Okta Workflows
NHI credential theftStolen API keys, service account passwords, OAuth tokensCredential vaulting + automatic rotation + JIT elevation for service accountsOPA + Service Accounts API + ISPM NHI View
SSO bypassDirect app login circumventing SSO, avoiding MFA and policy enforcementISPM detects apps with SSO bypass paths. Alerts on non-integrated SSO providers.ISPM (hidden IdP detection) + Sign-On Policy
Supply chain (agent)Compromised AI agent framework injecting malicious actionsAgent identity verification + scoped tokens + audit trails + OWASP LLM alignmentXAA + OIG + ISPM + Universal Directory

Full Product Capability Matrix

Every capability organized by product domain

Workforce Identity Cloud
SSO
SAML, OIDC, WS-Fed. Custom pages. Session mgmt.
Adaptive MFA
Okta Verify, WebAuthn, FIDO2, SMS, email, keys.
FastPass
Phishing-resistant passwordless. Device-bound.
Device Trust
MDM/UEM posture. CrowdStrike, Jamf, Intune.
Universal Directory
Profile mastering, custom schemas, sourcing.
Lifecycle Mgmt
HR-driven JML. 8,200+ app provisioning.
Workflows
No-code. 80+ connectors. Event hooks.
Identity Governance
Reviews, certs, entitlements, SoD. Terraform.
Privileged Access
JIT, vault, SSH/RDP, sessions. NHI 2026.
AD/LDAP Bridge
Delegated auth, password sync, group import.
API Access Mgmt
Custom auth servers, scopes, claims, policies.
ThreatInsight
IP rep, credential stuffing, proactive lockout.
Customer Identity Cloud (Auth0)
Universal Login
Social connections. Passkeys. Progressive.
Actions
Serverless hooks at login, register, token.
Organizations
B2B multi-tenant. Per-org everything.
FGA (OpenFGA)
ReBAC. Zanzibar-style tuples.
Bot Detection
AI fraud. Credential stuffing. Deepfake.
Credential Guard
Breached password detection.
Verifiable Creds
W3C VC. Tamper-proof. Anti-fraud.
M2M Auth
Client credentials flow. Token exchange.
Log Streams
Real-time to Datadog, Splunk, S3.
RBAC
Role-based. API-scoped permissions.

Okta for AI Agents — 4-Stage Lifecycle

Securing AI agents as first-class identities in the identity security fabric (GA April 2026)

Okta's AI agent security framework answers three critical questions: Where are my agents? (discover sanctioned and shadow agents), What can they connect to? (authorize with scoped, time-bound tokens via XAA), and What can they do? (govern with OIG audit trails and ISPM monitoring). The framework treats every agent — from Salesforce Agentforce bots to custom LangChain agents — as a managed identity with the same lifecycle, governance, and observability as human users.
Stage 1 — Detect & Discover
ISPM Agent Discovery + NHI inventory + shadow AI detection
ISPM Agent Discovery
Browser plugin captures OAuth consent events. Maps client→resource app relationships. Detects unsanctioned shadow agents. Surfaces agents with permissions to critical data. Expanding to Copilot Studio and Agentforce in FY27 Q1.
Shadow AIOAuth TelemetryBrowser Plugin
NHI Inventory
Single view of all non-human identity types across SaaS, IdP, IaaS, and on-prem AD. Automated risk classification and ownership attribution. Flags when multiple agents share same credentials.
Risk ScoreOwnershipBlast Radius
Register discovered agents
Stage 2 — Provision & Register
Universal Directory + Agent OIN + lifecycle automation
Register in Universal Directory
Register agents with risk classification, ownership, purpose, and scope. Same profile management as human identities. Agent OIN integrations for Agentforce, Copilot Studio, Vertex AI, Boomi, DataRobot.
Lifecycle Automation
Automated provisioning and decommissioning. Credential rotation policies. Expiration-based access with auto-revocation. Okta Workflows for custom onboarding sequences.
Apply access policies
Stage 3 — Authorize & Protect
XAA scoped tokens + OPA for static credentials
Cross App Access (XAA)
Open protocol replacing static credentials with delegated OAuth 2.0. Scoped, time-bound tokens. Vendor-neutral — works across agent platforms.
OPA for Agent Credentials
For agents that can't use XAA: OPA vaults static credentials, provides JIT elevation, automatic rotation. Ensures least privilege even with legacy auth.
Continuous monitoring
Stage 4 — Govern, Monitor & Respond
OIG certification + ISPM drift detection + SIEM export
OIG Agent Governance
Access certification campaigns for agent entitlements. Comprehensive audit trails for all agent actions. SoD enforcement across human + agent permissions. Terraform-managed.
Continuous Posture
ISPM validates agent posture continuously. Detects permission drift, unused grants, over-privileged agents. Auto-remediation via Workflows event hooks. SIEM export for SOC.

Non-Human Identity Framework

Every NHI type, risk profile, and Okta security control

Non-human identities outnumber humans 45:1 in a typical enterprise. They include service accounts (often with static passwords and no MFA), API keys/tokens (long-lived, broadly scoped), AI agents (operating at machine speed with high privileges), RPA bots (bypassing SSO), cloud workloads (AWS roles, Azure Managed Identities), and break-glass accounts (emergency access with god-mode privileges). Okta's platform now brings each type into the identity security fabric with consistent visibility, governance, and automation.
NHI Types & Attack Surface
Service Accounts
Shared, non-federated. Static passwords. No MFA. Excessive privileges. ISPM detects, OPA vaults.
API Keys & Tokens
Long-lived credentials. No expiration, no rotation, broad scope. OPA rotates, ISPM monitors usage.
AI Agents
Autonomous. Machine speed. High privileges. Ephemeral lifecycles. Secured via XAA + Universal Directory.
RPA Bots
UiPath, Power Automate. Bypass SSO/MFA. Need identity lifecycle management.
Cloud Workloads
AWS IAM roles, Azure Managed Identities, GCP service accounts. OPA extending to IaaS in 2026.
Break-Glass Identities
Emergency access. Must be vaulted, monitored, post-use reviewed. OPA provides JIT elevation.
NHI Security Controls (Okta Products)
ISPM → Discover & Assess
Continuous discovery across all connected systems. Risk scoring by privilege, staleness, MFA status, usage. Surfaces orphaned accounts and over-provisioned tokens.
Universal Directory → Register
NHIs as managed identities with ownership, purpose, classification. Custom schema extensions for NHI attributes.
OPA → Vault & Elevate
Credential vaulting. JIT elevation. Auto-rotation. Session recording for privileged NHI access.
OIG → Certify & Govern
Certification campaigns for NHI entitlements. Auto-deprovision orphaned NHIs based on ISPM signals.

ISPM — Deep Dive

Detections, integrations, remediation workflows, and compliance reporting

Core Capabilities
Detections
Admin MFA not enforced, stale admin accounts, SSO bypass paths, orphaned users, over-provisioned identities, unused permissions, hidden IdPs (e.g., unmonitored Entra alongside Okta), shared agent credentials, password-only accounts.
MFA GapsStale AdminsSSO BypassOrphanedShadow IdP
Data Sources
Okta WIC, Entra ID, Google Workspace, Active Directory (on-prem via AD Agent, 3-click setup), GitHub, GitLab, Jira, 300+ OIN SCIM apps. Connector health monitoring with in-line credential editing.
OktaEntraGoogleAD300+ SCIM
Auto-Remediation
Okta Workflows templates via ISPM event hooks: privileged account lockdown, stale credential rotation, orphaned account deprovisioning, MFA enforcement.
Event HooksWorkflowsAuto-Fix
Compliance Reporting
Exportable reports by segment, role, group. Risk-prioritized dashboard with guided remediation. Evidence for SOX, SOC2, GDPR, NIS2, DORA.
SOXSOC2GDPRExport

Okta API Reference

Management APIs v1 · OAuth 2.0 / OIDC · Authentication API

MethodEndpointDescriptionScope
POST/api/v1/users?activate=trueCreate and activate userokta.users.manage
GET/api/v1/users?search=profile.email eq "x"Search users (SCIM filter)okta.users.read
GET/api/v1/users/{userId}Get user by IDokta.users.read
PUT/api/v1/users/{userId}Full profile updateokta.users.manage
POST/api/v1/users/{userId}/lifecycle/deactivateDeactivate userokta.users.manage
DEL/api/v1/users/{userId}Delete (deactivated only)okta.users.manage
POST/api/v1/groupsCreate groupokta.groups.manage
PUT/api/v1/groups/{gid}/users/{uid}Add user to groupokta.groups.manage
GET/api/v1/appsList applicationsokta.apps.read
PUT/api/v1/apps/{appId}/users/{uid}Assign user to appokta.apps.manage
GET/api/v1/users/{userId}/factorsList enrolled factorsokta.users.read
POST/api/v1/users/{userId}/factorsEnroll new factorokta.users.manage
GET/api/v1/policies?type={type}List policies by typeokta.policies.read
GET/api/v1/logs?filter=eventType eq "x"Query system logokta.logs.read
POST/oauth2/{authServerId}/v1/tokenToken endpointPer auth server
GET/oauth2/{authServerId}/v1/authorizeAuthorize endpointPer auth server
POST/api/v1/authnPrimary authenticationPublic
GET/api/v1/authorizationServersList auth serversokta.authorizationServers.read

Identity Use Case Scenarios

End-to-end scenarios across workforce, customer, AI, governance, and security domains

WIC-01
Employee Onboarding (JML)
HR creates record in Workday → Okta auto-provisions via SCIM → assigns groups by dept → provisions apps (Slack, Jira, Salesforce) → enrolls MFA → sends activation.
Workday → UD → Group Rules → OIN SCIM → MFA → Activation
WIC-02
Adaptive MFA + Device Trust
Login from new device + unusual location → risk engine triggers FIDO2 key step-up → Device Trust checks MDM → access only if managed device passes all checks.
Login → Risk Engine → Step-Up → Device Trust → Access
GOV-01
Zero Standing Privilege
Admin requests elevation → OIG approval workflow → OPA grants 4hr JIT access → session recorded → auto-revoke at expiry → full audit trail.
Request → OIG → OPA JIT → Record → Revoke → Audit
GOV-02
Quarterly Access Review
OIG launches cert campaign → managers review reports' entitlements → auto-revoke rejected → compliance evidence → GRC export.
Campaign → Review → Revoke → Evidence → GRC
CIC-01
Customer Social Login
Sign up with Google → Auth0 federates → progressive profile captures phone → Adaptive MFA → custom Action enriches → FGA authorizes.
Social IdP → Login → Profile → MFA → FGA
CIC-02
B2B SaaS Multi-Tenancy
Enterprise connects Entra via SAML → Auth0 Organizations routes to their IdP → per-org MFA → FGA controls feature access per plan tier.
Enterprise SSO → Org → MFA → FGA → Tier Access
AI-01
Secure Agent Deployment
Deploy Agentforce bot → register in UD via OIN → XAA scoped token to CRM → OIG certifies quarterly → ISPM monitors drift.
Deploy → OIN → XAA → OIG → ISPM
AI-02
Shadow AI Detection
Employee grants OAuth to unsanctioned AI → browser plugin captures → agent mapped with blast radius → alert → remediation workflow.
OAuth → Plugin → ISPM → Map → Remediate
ISPM-01
Hybrid AD Posture Audit
ISPM connects to on-prem AD → discovers 47 stale service accounts → maps nested group paths → compares with Entra → risk remediation plan.
AD Connect → Discover → Map → Diff → Fix
NHI-01
Service Account Lifecycle
Create via Service Accounts API → OPA vaults credential → ISPM monitors → 90 days inactive → auto-flag stale → OIG decertify → deprovision.
Create → Vault → Monitor → Flag → Decertify → Remove
ZT-01
Phishing-Resistant Access
All employees enrolled in FastPass → sign-on policy requires device-bound key → phishing pages can't capture credentials → zero password exposure.
FastPass Enroll → Policy Enforce → Phishing Immune
ZT-02
Contractor Offboarding
Contract end date in HR → Lifecycle Mgmt auto-deactivates → all app access revoked → ISPM verifies no residual access → OIG generates evidence.
HR Date → Deactivate → Revoke → Verify → Evidence

Compliance & Standards Framework Mapping

How Okta capabilities map to major regulatory and security frameworks

FrameworkRequirement AreaOkta CapabilityEvidence Source
NIST 800-63BAuthenticator assurance levels (AAL1-3)FastPass (AAL3), WebAuthn (AAL2), Adaptive MFA (AAL1-2)Sign-on policy config + system log
NIST Zero Trust (800-207)Continuous verification, least privilege, micro-segmentationAdaptive MFA + Device Trust + per-app policies + ThreatInsight + OPA JITPolicy config + ISPM posture report
CIS Controls v8Control 5: Account management, Control 6: Access controlLifecycle Mgmt (JML) + OIG (certifications) + ISPM (posture) + OPA (privilege)OIG reports + ISPM dashboards
ISO 27001:2022A.5.15-5.18: Access control, identity managementUniversal Directory + SSO + MFA + OIG + ISPM + System LogFull audit trail + cert reports
SOX (Sarbanes-Oxley)Access reviews, SoD, audit trailOIG certification campaigns + SoD policies + system log + ISPM compliance reportsOIG cert evidence + log exports
SOC 2 Type IILogical access, monitoring, change managementSSO + MFA + OIG + system log + ISPM + OPA session recordingSystem log SIEM export + OIG reports
GDPRData minimization, right to erasure, consent managementLifecycle Mgmt (auto-deprovision) + CIC consent flows + Universal Directory (data cleanup)Lifecycle audit + consent records
NIS2 (EU)Risk management, incident reporting, supply chain securityISPM (continuous risk) + system log (incident evidence) + NHI controls (supply chain)ISPM reports + SIEM + NHI inventory
DORA (EU Financial)ICT risk, operational resilience, third-party oversightISPM (ICT risk) + OIG (third-party access reviews) + system log (resilience evidence)ISPM + OIG + system log exports
OWASP LLM Top 10LLM01 (Prompt Injection), LLM06 (Excessive Agency)XAA scoped tokens + ISPM agent discovery + OIG agent governance + RBAC/ABACXAA audit trail + ISPM + OIG

Deloitte IAM Framework → Okta Mapping

Deloitte Digital Identity + Cyber Identity domains mapped to Okta platform capabilities

Deloitte's IAM framework is business-process oriented — it focuses on where digital identities live, what they can access, and which job functions they correspond to. Their approach spans IGA, PAM, AM, CIAM as integrated pillars delivered through a proven methodology with 20+ years of implementation experience. The framework is vendor-agnostic but Okta is listed as a primary technology partner alongside SailPoint, CyberArk, and ForgeRock.
Deloitte Framework Domain
Identity Lifecycle ManagementJML. HR-driven provisioning. Onboarding/offboarding automation.
Access Management & SSOFederation, SSO, Adaptive MFA, passwordless, device trust.
Identity Governance (IGA)Access reviews, certifications, entitlements, SoD, role mining.
Privileged Access Mgmt (PAM)Vaulting, JIT, session recording, break-glass, workload ID.
Consumer IAM (CIAM)Social login, fraud detection, B2B multi-tenancy, consent.
Zero Trust ArchitectureContinuous verification, device posture, least privilege.
Non-Human Identity SecurityService accounts, API keys, AI agents, machine identity.
Identity Security PostureContinuous assessment, misconfiguration, remediation.
Compliance & AuditSOX, SOC2, GDPR, DORA, NIS2 evidence and reporting.
Okta Product Mapping
Universal Directory + Lifecycle + WorkflowsHR mastering, SCIM to 8,200+ apps, no-code JML.
SSO + Adaptive MFA + FastPass + Device TrustSAML/OIDC federation, risk MFA, passwordless, EDR.
Okta Identity Governance (OIG)Requests, certs, entitlements, SoD. Terraform. NHI 2026.
Okta Privileged Access (OPA)Vault, JIT, SSH/RDP gateway, sessions. Workload 2026.
Customer Identity Cloud (Auth0)Universal Login, Actions, FGA, Orgs, Bot Detect, VCs.
FastPass + Device Trust + ThreatInsight + MFAContinuous verify, posture, IP rep, conditional access.
Okta for AI Agents + ISPM + OPA + Svc Accts APIXAA, Agent Discovery, NHI view, vaulting, agent OIN.
ISPMUser/Org Graph, AD integration, shadow AI, auto-remediate.
System Log + OIG Reports + SIEM + ISPM ReportingAudit trail, cert evidence, log streaming, GRC packages.

Deloitte Digital Identity+ Pillars

Deloitte PillarDescriptionOkta Product(s)Maturity
Identity OrchestrationHire-to-Retire lifecycle — right access, right people, right timeUniversal Directory + Lifecycle + WorkflowsGA — Mature
Access ManagementSSO + MFA + passwordless for simple yet secure workforce accessSSO + Adaptive MFA + FastPass + Device TrustGA — Mature
Access GovernanceCertifications, remediation, audit-proof processes, continuous monitoringOkta Identity Governance (OIG)GA — Growing
Privileged Access"Keys to the kingdom" — elevated access workflows, session monitoringOkta Privileged Access (OPA)GA — Expanding NHI
Pre-Integrated PlatformIGA + AM + PAM pre-integrated to accelerate time to valueOkta Platform (unified WIC + OIG + OPA)GA — Native
AI + NHI SecuritySecuring digital workforce — agents, bots, service accountsOkta for AI Agents + ISPM + XAAEA/GA Apr 2026
Managed Operations24/7 service management, change mgmt, optimizationAdmin Console + Terraform + APIGA — Full API

Decision Trees — Which Pattern Should I Use?

Guidance for choosing the right authentication and authorization approach

Authentication pattern selection: The right choice depends on your use case (workforce vs. customer vs. machine), your security requirements (phishing resistance, compliance level), and your application type (web app, SPA, mobile, API). Use the decision trees below to navigate to the recommended pattern.
Which authentication flow should I use?
Who is authenticating?
Employee/PartnerCustomerMachine/Agent
Employee → Need phishing resistance?
Yes → FastPass / FIDO2No → Adaptive MFA
App type?
SAML app → SAML 2.0 SSOModern app → OAuth+PKCE
Customer → App type?
SPA → Auth Code+PKCEMobile → Auth Code+PKCE
B2B enterprise customers?
Yes → Organizations + SAML/OIDCNo → Universal Login
Machine → What kind?
AI agent → XAAService → Client Creds
Static credentials?
Yes → OPA vault + rotateNo → OAuth 2.0 CC flow
Which MFA factor should I require?
Highest assurance (AAL3)
FastPass (device-bound key + biometric) or hardware FIDO2 key (YubiKey). Use for: admin access, financial systems, regulated data, Zero Trust mandates.
RECOMMENDEDFastPassFIDO2
Strong assurance (AAL2)
Okta Verify push (with number matching) or platform WebAuthn (Touch ID, Windows Hello). Use for: general workforce access, most SaaS apps.
Okta Verify PushWebAuthn
Basic assurance (AAL1)
Okta Verify TOTP or email OTP. Use for: low-sensitivity apps, self-service portals, step-down from higher factors.
TOTPEmail OTP
Avoid if possible
SMS OTP (SIM swap risk), security questions (guessable). Only use as fallback recovery, never as primary factor. Phase out in new deployments.
SMS ⚠Questions ⚠Fallback Only