This document describes how you can use the services of multi-factor authentication provider Okta to authenticate the sessions of your privileged users with One Identity Safeguard for Privileged Sessions (SPS).
One Identity Safeguard for Privileged Sessions (SPS) controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. SPS is a quickly deployable enterprise device, completely independent from clients and servers — integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.
SPS acts as a central authentication gateway, enforcing strong authentication before users access sensitive IT assets. SPS can integrate with remote user directories to resolve the group memberships of users who access nonpublic information. Credentials for accessing information systems can be retrieved transparently from SPS's local credential store or a third-party password management system. This method protects the confidentiality of passwords as users can never access them. When used together with Okta (or another multi-factor authentication provider), SPS directs all connections to the authentication tool, and upon successful authentication, it permits the user to access the information system.
To support multi-factor authentication, SPS integrates with the identity management service Okta. This enables you to leverage an additional out-of-band factor (typically through the user’s registered smartphone) when authenticating the user. The additional factor is processed in-line with the connection, so users do not have to switch to an external application to process the additional factor. This results in an efficient user experience that is readily accepted by the users.
The One Identity Safeguard for Privileged Sessions can interact with your Okta account and can automatically request multi-factor authentication for your privileged users who are accessing the servers and services protected by SPS.
Figure 1: How SPS and Okta work together
Matt Magleby, Sr. Computer Scientist at Adobe
One Identity Safeguard for Privileged Sessions helps us meet a portion of our compliance and internal security requirements related to access management.
Using SPS together with Okta provides the following benefits.
Easy-to-use multi-factor authentication to secure your privileged users who access your business-critical servers. The enforcement of a second-factor authentication and the availability of session recordings make the access of high-risk users more secure.
Out-of-band authentication to protect against privileged identity theft
Logs and audits administrative network traffic
Integrates with existing LDAP user directory
Easy and fast deployment and implementation: a network-level solution that does not require installing agents on clients or servers
Can forward user logs into Splunk for long-term storage and analysis
Supports SSH and RDP protocols to access both Linux and Windows servers, without disrupting the daily workflow of your system administrators and other privileged users
Supports strong authentication methods, including SSH keys and certificates
ISO 27001, ISO 27018, SOC 2, and other regulations and industry standards include authentication-related requirements, for example, multi-factor authentication (MFA) for accessing production systems, and the logging of all administrative sessions. In addition to other requirements, using SPS and Okta helps you comply with the following requirements:
PCI DSS 8.3: Secure all individual non-console administrative access and all access to the cardholder data environment (CDE) using multi-factor authentication.
PART 500.12 Multi-Factor Authentication: Covered entities are required to apply multi-factor authentication for:
Each individual accessing the covered entity’s internal systems.
Authorized access to database servers that allow access to nonpublic information.
Third parties accessing nonpublic information.
NIST 800-53 IA-2, Identification and Authentication, network access to privileged accounts: The information system implements multi-factor authentication for network access to privileged accounts
To read about the experiences of Adobe Experience Cloud business unit using SPS and Okta, download our case study.
Figure 2: How SPS and Okta work together
A user attempts to log in to a protected server.
SPS receives the connection request and authenticates the user. SPS can authenticate the user to a number of external user directories, for example, LDAP, Microsoft Active Directory, or RADIUS. This authentication is the first factor.
If gateway authentication is successful, SPS connects the Okta server to check which authentication factors are available for the user. Then SPS requests the second authentication factor from the user.
For OTP-like authentication factors, SPS requests the one-time password (OTP) from the user, and sends it to the Okta server for verification.
For the Okta push notification factor, SPS asks the Okta server to check if the user successfully authenticated on the Okta server.
If multi-factor authentication is successful, the user can start working, while SPS records the user's activities. (Optionally, SPS can retrieve credentials from a local or external credential store or password vault, and perform authentication on the server with credentials that are not known to the user.)
In order to successfully connect SPS with Okta, you need the following components.
A valid Okta subscription that permits multi-factor authentication.
An Okta API key. You will need it to configure the SPS plugin.
Your users must be available in Okta.
The users must activate their Okta accounts, and be able to perform the authentication required for the factor (for example, install the Okta mobile app, possess the required hardware token, and so on).
A factor that the SPS plugin supports must be enabled in Okta. Note that this is a global setting, you cannot selectively enable factors. For a list of factors that SPS supports, see Supported factors and scenarios.
A One Identity Safeguard for Privileged Sessions appliance (virtual or physical), at least version 5 F1.
A copy of the SPS Okta plugin. This plugin is an Authentication and Authorization (AA) plugin customized to work with the Okta multi-factor authentication service.
SPS must be able to access the Internet (at least the services on https://www.okta.com). Since Okta is a cloud-based service provider, SPS must be able to access its web services to authorize the user.
Depending on the factor you use to authenticate your users, your users might need Internet access as well, for example, to use the Okta Verify Push Notification factor. Note that the Okta app generates one-time passwords (OTPs) offline.
SPS supports Authentication and Authorization plugins in the RDP, SSH, and Telnet protocols.
In RDP, using an AA plugin together with Network Level Authentication in a Connection Policy has the same limitations as using Network Level Authentication without domain membership. For details, see "Network Level Authentication without domain membership" in the Administration Guide.
In RDP, using an AA plugin requires TLS-encrypted RDP connections. For details, see "Enabling TLS-encryption for RDP connections" in the Administration Guide.
The SPS Okta plugin is available as-is, free of charge to every SPS customer from the Plugin Page. In case you need any customizations or additional features, contact email@example.com.
You can use the plugin on SPS 5 F3 and later. If you need to use the plugin on SPS 5 LTS, contact firstname.lastname@example.org.
The SPS Okta plugin can provide multi-factor authentication in the Remote Desktop (RDP), Secure Shell (SSH), and TELNET protocols. In RDP, using push notifications (when the user authenticates using the Okta mobil app) is the most convenient method. You can use another factor, but in this case the user must encode the OTP password into the username used in the connection, before trying to connect to the server.
Okta supports several different authentication backends ("factor types" in Okta terminology). When using one-time passwords (OTP-like factors), your users can specify which factor they use (from the ones available for them in Okta).
You can also set a default factor in the Okta configuration, it defaults to Okta Verify (One-Time Password).
The SPS Okta plugin supports the following authentication factors:
Google Authenticator (One-Time Password)
Okta Push Authentication
Okta Verify (One-Time Password)
Symantec token (One-Time Password)
YubiKey token (One-Time Password)
You can also configure SPS to require multi-factor authentication only from selected users or usergroups. You can also specify exceptions, that is, require multi-factor authentication from everyone except the specified users. This allows you to have emergency or break-glass users who can access your servers even if the Okta services are not available. For details, see Okta Multi-Factor Authentication - Tutorial.