Okta Customer Identity

Focuses on Security and Privacy of Customers.

Challenges and Solutions

1. Build and integrate Apps with Okta AuthN 
   • SSO
   • Social Logins
   • Custom user experience
     • Signin widget
   • Prebuilt & custom process
     • Email template
     • Event hooks
2. Secure APIs with Okta Authorization (API Access Management) 
   • OAuth/ OIDC Protocols
     • 
   • Identity Proven Policy
     • 
   • Plug & Play SDK/ APIs
     • 
3. Integrate Enterprise Identity
   • • 
4. Protect against Risk of Account Takeover

• • Risk-based Authentication
    • 

• • Passwordless Authentication
    • 

• • Pre-authentication sign-on policy evaluation
    • 

Common Use-cases

API Access Management

API Access Management allows you to build custom authorization servers in Okta which can be used to protect your own API endpoints.

What is an authorization server?

• An authorization server defines your security boundary, for example “staging” or “production.”
• Within each authorization server you can define your own OAuth scopes, claims, and access policies.
• This allows your apps and your APIs to anchor to a central authorization point and leverage the rich identity features of Okta, such as UD for transforming attributes, adaptive MFA for end-users, analytics, and system log, and extend it out to the API economy.
• At its core, an authorization server is simply an OAuth 2.0 token minting engine.
• Each authorization server has a unique issuer URI and its own signing key for tokens in order to keep proper boundary between security domains.
• Authorization server also acts as an OpenID Connect Provider, which means you can request ID tokens in addition to access tokens from the authorization server endpoints.

How do I choose an authorization service?

How do you know if you need to use Okta’s authorization server instead of the authorization service that is built in to your Okta app?

• Need to protect non-Okta resources.
• Need different authorization policies depending on whether the person is an employee, partner, or end user, or other similar specializations.

How do I set up an authorization server?

To manage authorization between clients and Okta,

• Identify the scopes and claims in your client app and register it with Okta.
• Create one or more authorization servers and define the scopes and claims to match those expected by your app.

Client app must recognize ->scope and claims as defined in the authorization server.

Create the Authorization Server

• Create Scopes
• Create Claims
• Create Access Policies
• Create Rules for Each Access Policy
• Test Your Authorization Server Configuration
• Delete an Authorization Server

JSON Web Key Set (JWKS) is a set of keys which contains the public keys used to verify any JSON Web Token (JWT) issued by the authorization server and signed using the RS256 signing algorithm.

• A JSON Web Key (JWK) is a JSON representation of a cryptographic key.
• Okta can use these keys to verify the signature of a JWT when provided for the private_key_jwt client authentication method or for a signed authorize request object.
• Okta supports both RSA and Elliptic Curve (EC) keys.