Executive Summary: – Authentication is a crucial part of any application development. Whether you are developing an internal IT app for your employees – or building a portal for your partners – or exposing a set of APIs for developers building apps around your resources, Okta Platform can provide the right support for your projects.
API Access Management
Integrate Corporate Applications with Okta
- Securely store user profiles, manage passwords, and organize users into groups with Okta’s Universal Directory.
ACTIVE DIRECTORY & LDAP
- Use your existing LDAP or Active Directory as your user profile master and password store. Deploy the Okta Agent to securely delegate authentication to AD or LDAP and sync user data to and from Okta.
FEDERATED IDENTITY PROVIDER
- Connect to any federated identity provider. Okta manages all federation trust relationships, handles diverse SAML implementations, and stores user profile information.
- Use an existing database as your user profile master.
Deploy the Okta Agent to securely sync user data to and from Okta.
SOCIAL IDENTITY PROVIDER
- Sync profile attributes and authenticate users from any social identity provider.
CREATE AUTHORIZATION POLICIES BASED ON:
- User profile
- Group membership
- Network zone
- User or administrator consent
- Complete standard-compliant support for OAuth 2.0
- Proven compatibility with 3rd party API management solutions
Note: – Instantly revoke or update user permissions based on user status and profile.
- Authentication – (OKTA Integration, OpenID or Any Corporate Directory, Application MFA Token)
- Hardware Authentication – (Server SSH-Key, Passphrase, MFA Token)
- Database Authentication – (MySQL Workbench access through SSH-Tunnel)
Below is a high-level architecture presentation on how to integrate enterprise applications with OpenID(IDP) and OKTA cloud along with multi-layer security and high availability(HA) features.
- End user – OKTA integration.
– Create new OKTA cloud account
– Addtion of a new internal or cloud applications with OKTA Cloud.
– Add corporate users & their access control
– Adding MFA token authentication layer
(The Okta Platform gives you the flexibility to deploy Okta’s built-in factors, or integrate with existing tokens (Yubikey). Native factors include SMS, and the Okta Verify app for iOS and Android. Integrations include Google Authenticator, RSA SecurID, Symantec VIP, and Duo Security.)
- Implement OpenID as IDP layer
- Implementation & Configuration of HAProxy (Load Balancer)
- NGINX (Reverse Proxy) Layer with High Availability(HA) option
- Application/Web Server (SSH-Key + Passphrase + Password-MFA Token) access security.
- SSH-Tunnel to Application Server created in proxy/jumphost server
- Private SSH-Key for the proxy /jump host
- Add the details of the local(proxy server) and remote(application server) ports and add the tunnel details
- Access the application server through the (Proxy server) using (SSH-Key + Passphrase + Password-MFA Token) combination.
- The database (MySQL- Percona) will setup an isolated DB network and can be accessed only through the “Standard TCP/IP over SSH-Tunnel” through through a whitelisted application/web server (Using MySQL Workbench or PhpMyAdmin Console)
Note:- Additional layer security for database servers is with SSH-KEY and a passphrase.