Post on 13-Nov-2021
Okta Inc. 301 Brannan Street, Suite 300San Francisco CA, 94107
info@okta.com 1-888-722-7871
OKTA WHITE PAPER
Active Directory Integration with Okta An Architectural Overview
wp-adint-113012
Active Directory Integration with Okta
Table of Contents1 ActiveDirectoryandtheCloud:AnOverview3 ActiveDirectoryandCloudApplicationswithOkta4 OktaActiveDirectoryIntegrationforAllYourCloudApps5 SimpleandSecureSetupandConfiguration7 IntelligentUserSynchronization8 Just-in-TimeUserProvisioning8 Simple-to-UseDelegatedAuthentication10DesktopSingleSign-On11SelfServicePasswordResetSupport11SecurityGroup–DrivenProvisioning12One-ClickDeprovisioning12SingleSign-OnforADAuthenticatedApps13Conclusion—ExtendActiveDirectorytotheCloudwithOkta13OktaActiveDirectoryAgentDetails14OktaIWAWebApplicationDetails14AboutOkta
| 1Active Directory Integration with Okta
Active Directory and the Cloud: An OverviewFormostcompanies,MicrosoftActiveDirectory(AD)playsthecentralroleincoordinatingidentityandaccessmanagementpolicies.ADtypicallyservesasa“sourceoftruth”foruseridentities,anditprovidesaccesscontroltoon-premisesresourcessuchasnetworks,fileservers,andwebapplications(seeFigure1).Whenon-premisesapplicationsareintegratedtoActiveDirectory,usersgetthebestpossibleexperience:theylogintotheirdomainonceandaregrantedaccesstotheappropriateresources.Administratorsbenefittoo—theymaintainclearcontroloverwhohasaccesstowhat.ThismodelisubiquitousbecauseitworkswellwithLAN-basedarchitectures(whereapplicationsareservedfromhardwareinsidethefirewall).Butaswe’llshow,thisapproachbeginstobreakdownasenterprisesshifttocloud-basedapplications, andanewsolutionisneeded.
Figure1:ActiveDirectoryforon-premises applicationuseridentities
Abyproductofthetransitiontocloudapplicationsistheproliferationofseparateuserstores;eachcloudapplicationtypicallyisrolledoutindependentlyandthereforehasitsownuniquedatabaseofusercredentials(seeFigure2).Thisisaminornuisancewithonlyoneortwoapplications,butascompaniesadoptmoreandmorecloudapplications,administratorsarefacedwithanunmanageablenumberofdifferentuserdirectories.Andthisproblemisonlygettingbigger.Users’passwordsproliferatewitheachnewapplication,andadministratorsquicklylosecontroloverwhohasaccesstowhat.Worsestill,whenanemployeeleaves,mostcompaniescannoteasilyandaccuratelyidentifywhichaccountstodeactivate,nordotheyhaveanyauditingcapabilitiestoensurethenecessarydeprovisioningoccursinatimelymanner.
| 2Active Directory Integration with Okta
Figure2:Adoptionofcloudapplicationsleadstoproliferationofuserstores
Onesolutiontotheproblemofindependentuserstoreproliferationistoattempttointegrateallcloudapplicationstoasingle,sharedidentitystore(seeFigure3).ActiveDirectoryisbyfarthemostconvenientoptionforthis,asitcanprovideidentitymanagementforbothon-premisesandcloud-basedapplications.SomecloudapplicationvendorsprovideAPIsortoolkitsthatallowenterprisestotrytoconnecttheapplication’sstandaloneidentitystorestoActiveDirectory.However,integrationviaAPIsrequirescustomdevelopment,andeachofthetoolkitsisdifferentandcanoftenrequire significantinvestmentinsetup,equipment(hardwaretoruntheconnectorsoftware), andmaintenanceastheapplicationschangeovertime.Asthenumberofcloudapplicationsincreases,thismodelofper-appADintegrationsbecomesprohibitivelyexpensive.Thereisalwaysthenextnewapplicationthatthebusinessneedstorun.
Active Directory and Cloud Applications with Okta
Figure3:IntegratingADwithmultiplecloudapplicationsiscostlyanddifficulttomaintain
| 3Active Directory Integration with Okta
Okta’scloud-basedidentityandaccessmanagementservicesolvestheseproblemswithasingleintegrationpointthatprovidesahighlyavailablesolutionforallcloudandweb-basedapplicationADintegrations.
Oktaeliminatesthepitfallsthatcomewithtryingtobuildandmanagemultipleon-premisesADintegrationsyourself:
PitfallofDIYADintegrations OktaApproach
Doyouhavethecorrectskillset todeveloptheseintegrations?
WithOkta,integrationsdonotrequireprogrammingordevelopmentexperience andcanbeaccomplishedinminutes throughoureasy-to-useinterface.
Howwillyouupgradeand maintainintegrations?
OktaworkswithISVsandmonitorschanges andupgradestoexistingAPIstotakeadvantage ofthelatestfunctionality;wereleaseupdatesweeklytoreflectchanges.
Howdoyoumonitorthehealth oftheintegration?
Oktacontinuouslymonitorsandtestsexistingintegrationstoensurethattheintegrationfunctionsasexpectedafterupgradesandreleases.
Whichprotocolwillyouusetoconnect toeachcloudapplication?
OktaeliminatestheneedtoknowSAML, OAuth,SCIM,andnumerousother integrationprotocols,becauseOkta managestheseintegrationsforyou.
Whathappenswhentheserverrunningyourhome-grown,toolkit-basedintegrationfails?
Oktaautomaticallyenablesfailoverrecovery witharedundant-agentarchitecture.
Howwillyouintegrateyourcloudappwith amultipledomainADconfiguration?
Oktahasbuilt-insupportformultiple ADdomainenvironments.
Whatfirewallchangesareneededfor eachcloudapp-to-ADintegration?
WithOkta,therearenofirewallchanges neededtosupportADintegration.
CanyourusersresettheirADpasswordeasily? OktaincludesaselfservicepasswordresetoptionthatsavesusersandITadminstimeandmoney.
Onceinplace,OktaprovidesaninfrastructurethatallowscompaniestofreelypursuenewcloudapplicationswhilestillleveragingActiveDirectoryfortheiremployeeuseridentities.ThisallowsuserstoaccessanycloudappusingtheirexistingADcredentials;itenablesITadminstocontrolaccesstothoseapplicationsfromasinglecontrolpanel;anditcombinesADsecuritygroupswithindividualuserassignments.
| 4Active Directory Integration with Okta
Okta Active Directory Integration for All Your Cloud AppsOktaoffersacompleteandeasy-to-useActiveDirectoryintegrationsolutionforcloudandon-premiseswebapplications.TheOktaon-demandIdentityandAccessManagementserviceprovidesuserauthentication,userprovisioningandde-provisioning,anddetailedanalyticsandreportingofapplicationusage,forbothcloudapplicationsandon-premiseswebapplications.AkeycomponentofthisserviceisOkta’sADintegrationcapability,whichisveryeasytosetupandisarchitectedforhighavailability.Inaddition,Oktamaintainstheintegrationsforyou,withthousandsofapplicationssupportedinOkta’sApplicationNetwork.
ForADintegration,Oktaprovidestwolightweightandsecureon-premisescomponents:
• OktaActiveDirectoryAgent:AlightweightagentthatcanbeinstalledonanyWindowsServerandisusedtoconnecttoon-premisesActiveDirectoryforuserprovisioning,de-provisioning,andauthenticationrequests.
• OktaIntegratedWindowsAuthentication(IWA)WebApplication:AlightweightwebapplicationthatisinstalledonanInternetInformationServices(IIS)andisusedtoauthenticatedomainusersviaIntegratedWindowsAuthentication.
TheOktaADAgentandtheOktaIWAWebAppcombinewiththeOktacloudserviceitselftoformahighlyavailable,easytosetupandmaintainarchitecturethatsupportsmultipleusecases.Thispaperprovidesadditionaldetailsaboutthisflexiblearchitecture.
Figure4:OktaforActiveDirectoryarchitecture:oneintegrationforallwebapplications
| 5Active Directory Integration with Okta
Okta’sADIntegrationoffersthefollowing:
• SimpleandSecureSetupUpandConfiguration
• IntelligentUserSynchronization
• Just-in-TimeUserProvisioning
• RobustDelegatedAuthentication
• IntegratedDesktopSingleSign-On(SSO)
• SelfServicePasswordResetSupport
• ADSecurityGroup-drivenProvisioning
• AutomatedOne-ClickDe-provisioning
• SingleSign-OnforADAuthenticatedApps
Simple and Secure Setup and ConfigurationWithOkta,enablingADintegrationisasimplewizard-drivenprocess.WithoneclickfromtheOktaadministrativeconsole,youcandownloadtheOktaActiveDirectoryagentandinstallitonanyWindowsServerthathasaccesstoyourDomainController.TheOktaADAgentrunsonaseparateserverfromyourdomaincontroller.
Figure5:TheActiveDirectoryinstallationprocess
| 6Active Directory Integration with Okta
Duringinstallation,yousimplyenteryourOktaURLandADAdministratorcredentialsandtheOktaADAgentcreatesalow-privileged,read-onlyintegrationaccountandthensecurelyestablishesaconnectionwithyourOktainstance—nonetworkorfirewallconfigurationrequired.
TheOktaADAgentconnectstoOkta’scloudserviceusinganoutboundport443SSLconnection.Thisconnectioniscycledevery30secondstoensurecompatibilitywithanyexistingfirewallsorothersecuritydevices.Asaruleofthumb,ifausercanlogintothehostmachineusingADcredentialsandcanaccesstheInternetfromabrowser,theOktaADAgentwillworksuccessfullyandwillrequirenofirewallchanges.
Figure6:OktaADAgentconnectionisSSLencrypted overPort443.Nofirewallchangesneeded.
CommunicationwiththeOktaADAgentissecuredusingSSLand mutualauthentication,specifically:
• OktaADAgenttoOktaService:TheAgentauthenticatestheservicebyvalidatingtheOktaserverSSLcertformycompany.okta.com.TheserviceauthenticatestheAgentusingasecuritytokengiventotheAgentonregistration.TheregistrationprocessrequiresOktaadministratorcredentialsbeforegeneratingthesecuritytoken.ThesecuritytokenisspecifictoeachAgentandcanberevokedatanytime.
• OktaADAgenttoDomainController:TheAgentauthenticateswiththeDomainControllerusingthelow-privileged,read-onlyintegrationaccountthatwas createdduringtheagentinstallprocess.
| 7Active Directory Integration with Okta
Intelligent User SynchronizationOncetheOktaADAgentisinstalledandtheinitialuserimporttakesplace,Oktaintelligentlyprocessestheresultsoftheuserimport.MatchingalgorithmsareappliedtoanalyzetheincomingADusersandtodetermineifthereisamatchtoexistingOktausersortoaccountsthatyouhaveimportedfromothercloudsystems(e.g.,GoogleApps).Futureuserimportscanbesettoascheduleorperformedondemand.
Figure7:TheActiveDirectoryimportprocess
Adding a UserWhenauserisaddedtoActiveDirectory,thenewobjectisdetectedbytheOktaADAgentandautomaticallyaddedtotheOktaservice.Onlynecessaryfieldsaretransmitted,includingname,UPN,SAMAccountName,emailaddress,andsecuritygroupmembership.
TheOktaADAgentneversendspasswordstoOkta’scloudservice.ExistingaccountsinmanagedappssuchasSalesforce.comorWebExcanbeimportedandautomaticallymatchedagainstActiveDirectoryusersbasedonexplicitrulesorheuristicmatching.
| 8Active Directory Integration with Okta
Just-in-Time User ProvisioningAsnotedabove,userprovisioningisverysimplewhenOkta’sADintegrationin place:anynewusersaddedtoADareautomaticallyprovisionedtoOktaandto theirdesignatedcloudandweb-basedapplications.
However,Oktahasanadditionaloptiontoprovisionusersevenfaster:just-in-timeprovisioning.Withjust-in-timeprovisioning,ITadminscanallownewuserstobeautomaticallycreatedinOktaprovidedtheyalreadyexistinActiveDirectory. Inthisway,validADuserscanprovisionthemselvesautomaticallyintoOkta (andtotheappropriatecloudapplicationsasaresult).
Theprocessforjust-in-timeprovisioningis:
1.AuserwhopreviouslywasnotprovisionedintheOktaserviceattemptsto logintomycompany.okta.com.
2.OktaandtheOktaADAgentchecktheusercredentialsagainstActiveDirectory.
3.IftheuserisactiveinAD,anewuseraccountisautomaticallycreatedinOkta. ThenewuseraccountleveragestheirexistingADcredentials.
4.DependingontheirADsecuritygroupattributes,theuserisautomaticallyprovisionedtodownstreamcloudandwebapplicationsviatheOktaservice.
Just-in-timeprovisioningallowsITadminstoincreaseuseradoptionofboththe Oktaserviceandofallassignedcloudapplications,whileleveragingtheAD credentialsthattheirusersalreadyknow.
Simple-to-Use Delegated AuthenticationOkta’sADintegrationsupportalsoallowsyoutodelegatetheauthenticationofusersintoOktatoyouron-premisesADDomaininstead.Thatis,userloginattemptstomycompany.okta.comwillbecheckedagainstActiveDirectoryforauthentication.UserscantheneasilylogintoOktausingtheirOktausernameandActiveDirectorypassword.
Morespecifically,theprocessis:
1.TheusertypeshisusernameandpasswordintotheOktauserhomepage. ThisloginpageisprotectedwithSSLandasecurityimagetopreventphishing;multi-factorauthentication(extrasecurityquestionorsmartphonesoft token)canbeenabledaswell.
2.TheusernameandpasswordaretransmittedtoanOktaADAgent runningbehindthefirewallovertheSSLconnectionthathadbeen previouslybeenestablishedduringsetup.
| 9Active Directory Integration with Okta
3.TheOktaADAgentpassesthosecredentialstotheADDomain Controllerforauthentication.
4.TheADDomainControllerrespondswithayes/noanswer,validating theusernameandpassword.
5.Theyes/noresponseistransmittedbacktotheOktaservicebythe OktaADAgent.Ifyes,theuserisauthenticatedandsenttohisOkta MyApplicationsuserhomepage.
Figure8:DelegatedauthenticationtoActiveDirectory
TheuserexperienceforDelegatedAuthenticationtoADissimple:
1.LogintoOktahomepage;launchapp
2.OktalookstoADtoauthenticateusers
3.Ifvalid,OktaSSOsintocloudapps
BecausethisfeaturegovernsuseraccessintoOkta,thearchitecturesupportsmultipleOktaADAgentsrunninginyourenvironmenttoprovideredundancy.IfoneoftheOktaADAgentsstopsrunningorlosesnetworkconnectivity,theauthenticationrequestsareautomaticallyroutedtotheotherOktaADAgents.
Withthisauthenticationmechanism,theuser’spasswordisneverstoredintheOktaserviceandActiveDirectoryismaintainedastheimmediateandultimatesourceforcredentialvalidation.BecauseADisalwaysrelieduponforuserauthentication,changestotheuser’sstatus(suchaspasswordchangesordeactivations)arereflectedimmediatelyintheOktaservice.
| 10Active Directory Integration with Okta
Desktop Single Sign-OnOktasupportsDesktopSingleSign-On,extendinglocalusers’WindowsdomainloginprocedurestograntaccesstoOktaandtotheircloudapplications.Okta’sADintegrationusesMicrosoft’sIntegratedWindowsAuthenticationtoseamlesslyauthenticateuserstoOktathatarealreadyauthenticatedviatheirWindowsdomainlogin.YousimplydownloadandinstallOkta’sIWAwebapplication,configuretherelevantIPranges,andthesetupiscomplete.
Figure9:DesktopSSOwithOktaIWAwebapplication
Thebehind-the-scenesstepsthatenableseamlesslogintotheOktaservice viaDesktopSingleSign-On(showninFigure9)are:
1.Usernavigatestohttps://mycompany.okta.com.
2.TheuserisredirectedtothelocallyinstalledIWAwebapplication.
3.TheIWAwebapplicationtransparentlyauthenticatestheuser viaIntegratedWindowsAuthentication(Kerberos).
4.TheuserisredirectedbacktotheOktaloginpagewith cryptographicallysignedassertionscontaininghisADuseridentity.
5.TheOktaservicevalidatesthesignedassertionsandsendsthe userdirectlytohisOktahomepage.
Notethatalloftheabovestepsaretransparenttotheuser.Theuserexperienceissimple:navigatetohttps://mycompany.okta.comandthenlandimmediatelyontheuserhomepagecontaininglinkstoallofhisassignedapplications.Alternatively,ausercansimplyclickalinkcorrespondingtoaparticularapplicationandthenbeautomaticallysignedintothatapplication.TheauthenticationtoADbehindthe scenesistransparenttotheuser.
Lastly,remoteusersorusersoutoftheofficecontinuetofindandSSOintoall oftheircloudapplicationsbysimplyvisitingtheOktauserhomepage.
| 11Active Directory Integration with Okta
Self Service Password Reset SupportYouruserscanalsochangetheirActiveDirectorypasswordviaOkta.Whenauser’s ADpasswordexpiresorisresettheywillautomaticallybepromptedtochangeitthenexttimetheylogintoOkta.UserscanalsoproactivelychangetheirADpassworddirectlyfromtheaccounttabontheirOktahomepage,andOktakeepsallofthesecredentialssynchronizedwithAD.
Security Group–Driven ProvisioningOkta’sservicehasagroupfeaturethatcanbeusedtodrivebulkapplicationprovisioningandassignmentstoOktausersaccordingtowhatgroupstheyaremembersof.OktaallowsyoutomapActiveDirectory’ssecuritygroupstonative Oktagroupsand,asaresult,toautomaticallyprovisionapplicationstousers basedontheirmembershipwithinADsecuritygroups.
WhenyouaddausertoAD,youcanplacehiminasecuritygroup,andduringautomaticsynchronizationwithOkta,thatuserwillbeadded,andaccountsintheapplicationsmappedtothatsecuritygroupwillbeautomaticallyprovisionedontheirbehalf.Application-specificparameterssuchasrole,profile,anduserinformationareautomaticallysetbasedonrulesdefinedwithintheOktaserviceaswell.Forexample,arulecanbedefinedwithinOktathatensuresthatallmembersoftheADsecuritygroup“Sales”areprovisionedanaccountinSalesforce.comandgivenaccesstoit.
TheresultisthatwhenauserisaddedtoActiveDirectory,allofthetasksrequiredtogivehimaccesstohiscloudandweb-basedapplicationsarehandledautomatically.Thisgreatlyreducestheprovisioningtimefornewemployees,andallowsITadminstocontinuetouseADastheirstartingpointforuseraccess.
Whenauser’sSecurityGroupmembershipchanges,thechangeisdetectedbytheOktaADAgentandisrelayedtotheOktaService.Whenthishappens,theassignmentrulesarerecomputed.Theserulestriggerapplicationstobenewlyassigned,existingapplicationassignmentstoberemoved,oruserpropertiestobeupdatedonthedownstreamapplications.
Newandupdatedapplicationassignmentsworkexactlythesame.Allofthestepstoprovisiontheaccount,setupSSO,andupdatetheuser’sMyApplicationshomepagearehandledautomatically.Deletionsarehandledsimilarly.Ifauser’saccesstoanappisremoved,heisimmediatelylockedoutfromusingSSOtoaccessthatapplication.TheapplicationaccountisthendeactivatedbytheOktaservice,orifthatcannotbedoneautomatically,anadministrativetaskiscreatedthatmustbeclearedonce theaccounthasbeendeactivatedmanually.AlloftheseactionscanexecuteautomaticallyorafterconfirmationbyanOktaadministrator.
| 12Active Directory Integration with Okta
Figure10:OktaenablesSSOforADauthenticatedinternalwebapplications
Single Sign-On for AD Authenticated AppsMostenterpriseshaveon-premiseswebapplicationsthatcaneasilybeintegratedintoOkta’sSSOsolution.ManycompaniesalsohavewebapplicationsthatuseActiveDirectorycredentialsforauthentication.TheseapplicationsarenotusingIntegratedWindowsAuthentication,butinsteadrequiretheusertoentertheirADcredentialswhentheysignin.WhenOktaisconfiguredtodelegateauthenticationtoActiveDirectory,signingintotheseinternalwebapplicationscanalsobeautomated.
Thebehind-the-scenesstepsthatenableSSOforADauthenticatedinternalwebapplications(showninFigure10)are:
1.OktaisconfiguredtodelegateauthenticationtoAD.
2.Customerhason-premisesappsauthenticatingtoAD.
3.UserlogsintoOktawithADcredentials.
4.UseraccessesApp1andApp2withSWAusingADcredentials.
5.App1andApp2authenticateuseragainstAD.
One-Click DeprovisioningUserdeactivationistypicallytriggeredfromastandardcorporateidentitystoresuchasActiveDirectory.WithOkta’scentralizeddeprovisioning,deactivatingauserinADimmediatelyinitiatesadeprovisioningworkflowtoensuremaximumeffectivenessinpreventingunauthorizedaccesstoOktaandothercloudapplications.TheworkflowgeneratesanotificationtoadministratorsandguidesITtocompleteanynecessarymanualdeprovisioningtasksassociatedwithaparticularuserorapplication.Further,thisworkflowalsoservesasanaudittrail;withinOktatheentireaudittrailis capturedforreportingandauditpurposessothatyoucaneasilygenerate historicaldeprovisioningreportsbyuserorbyapplication.
| 13Active Directory Integration with Okta
OktacanleverageitsSecureWebAuthenticationprotocoltoautomaticallylogusersintotheseinternalwebapplications.WhenaninternalwebapplicationisconfiguredtodelegateauthenticationtoAD(thesamesourcetowhichOktadelegatesauthentication),Oktacapturestheuser’sADpasswordatloginandautomaticallysetsthatpasswordforthatuserinanyapplicationsthatalsodelegatetoAD.Thisallowsuserstosimplyclickalinktoaccesstheseapplications,andthenbeloggedinautomatically.NotethatOktasynchronizestheADpasswordsecurely;ifthepasswordsubsequentlychangesinAD,thiseventiscapturedonlogintoOktaandimmediatelyupdatedinthesecurepasswordstoreforthatapplication,ensuringthatthenextloginattemptwillbesuccessful.
Conclusion—Extend Active Directory to the Cloud with OktaCompaniescontinuetoshifttheirfocusfromlegacyon-premisesapplicationstonewercloudbasedservices.Thenewercloudservicesofferenormousbenefits,bothinexpandedcapabilitiesandinloweroverallcost.Thequestiontodayisnotifyoucanmakethistransition,butratherhowfastcanyoudoit.Oneofthebiggestobstaclesinthispathismanaginguseridentitiesinawaythatisconsistentwithusers’andadministrators’experienceandexpectations.LinkingActiveDirectorytocloud servicessolvesthisproblem,andOkta’scloud-basedidentitymanagement solutionmakesitpossible.Oktaprovidesaflexible,highlyredundant,andscalablesolutionformanagingcloudidentities,anditdoessoinaservicethatiseasyto setupandisvirtuallymaintenance-free.LetOktaextendyourActiveDirectory usagetoallofyourcloudapplications—boththeappsyouusetodayand theonesyou’llneedinthefuture.
Okta Active Directory Agent DetailsTheOktaADAgentisdesignedtoscaleeasilyandtransparently.ForredundancyaclustercanbecreatedbyinstallingOktaADAgentsonmultipleWindowsServers; theOktaserviceregisterseachOktaADAgentandthendistributesauthentication andusermanagementcommandsacrossthemautomatically.Ifanyagentlosesconnectivityorfailstorespondtocommands,itisremovedfromrotationandtheadministratorisnotifiedviaemail.Inparallel,theOktaADAgentwillattempttoreconnecttotheserviceusinganexponentialback-offcappedat1-minuteintervals.
| 14Active Directory Integration with Okta
About OktaOkta is an enterprise grade identity management service, built from the ground up in the cloud and delivered with an unwavering focus on customer success. The Okta service provides directory services, single sign-on, strong authentication, provisioning, workflow, and built in reporting.
Enterprises everywhere are using Okta to manage access across any application, person or device to increase security, make people more productive, and maintain compliance. The hundreds of enterprises, thousands of cloud application vendors and millions of people using Okta today also form the foundation for the industry’s fastest growing, vendor neutral Enterprise Identity Network.
The Okta team has built and deployed many of the world’s leading on-demand and enterprise software solutions from companies including Salesforce.com, PeopleSoft, Microsoft, BMC, Arcsight, Sun, and HP. Okta is backed by premiere venture investors Andreessen Horowitz, Greylock Partners, Khosla Ventures and Sequoia Capital.
For more information, visit us at www.okta.com or follow us on www.okta.com/blog.
System Requirements for Okta AD AgentThefollowingareminimumsystemrequirementstosupporttheOktaADAgent:
• WindowsServer2003R2orlater
• 20MBofmemoryforservice
• ADServiceAccountcreateduponOktaADAgentinstallation Herearesuggestedsystemrequirements:
• 256MBofmemoryforservice
• DedicatedADServiceAccountwithDomainUserspermissions
• SeparateserverfromDomainController(canbeshared)
Okta IWA Web Application DetailsOktaIWAisalightweightIISwebappthatenablesdesktopSSOwiththeOktaservice.TheOktaIWAwebapplicationinstallsonWindowsServer2008 inWebServerRole.TheinstallerconfiguresIISandallWindowscomponents.
System Requirements for Okta IWA Web Application Thefollowingaresystemrequirementsnecessarytosupport theOktaIWAwebapplication:
• WindowsServer2008inWebServerRole• 50MBofmemory