The world's leading independent identity platform — powering single sign-on, adaptive MFA, lifecycle automation, and governance for over 19,000 organizations. Explained from zero.
Starting from the very beginning — no prior knowledge assumed.
Okta calls itself "The World's Identity Company." Its core job is managing who people are, whether they're who they claim to be, and what they should be allowed to access. In modern enterprises, identity is the new perimeter — because users, apps, and data are no longer inside a protected office building. They're everywhere.
Okta has two distinct customers: organizations using it to manage their employees' access to work apps (Workforce Identity) — and companies building apps who use it to manage their end-users' logins (Customer Identity, via Auth0). Both are run on the same underlying platform. Over 19,000 organizations trust Okta, including FedEx, Slack, Nordstrom, Nasdaq, and thousands of others.
Okta is deliberately vendor-neutral. Unlike Microsoft (who also sells Azure, Teams, and Office) or Google (who also sells Workspace), Okta has no competing cloud, productivity suite, or OS to push. Its only business is identity — which means it integrates equally well with Microsoft 365, Google Workspace, AWS, Salesforce, and every other vendor without any conflict of interest.
Before understanding Okta's features, you need to understand why organizations desperately need it.
The average enterprise employee has 191 passwords. They reuse them, write them on sticky notes, and use weak ones. IT spends enormous time resetting them. Attackers exploit them constantly — 80%+ of data breaches involve compromised credentials. Okta's SSO replaces this chaos with one secure login, and Okta's passwordless options eliminate passwords entirely.
When a new hire joins, IT manually creates accounts in Salesforce, Slack, GitHub, Zoom, Jira, and 30 other apps — taking days. When someone leaves, those accounts often aren't disabled for weeks, leaving security gaps. Okta's Lifecycle Management automates all of this — a new hire in Workday gets all their app accounts automatically on day one. A leaver's access is revoked everywhere in minutes.
HR has its own directory (Workday), IT has Active Directory, one team uses Salesforce, another uses Google Workspace. Each has its own version of "who this person is." When someone changes their name or gets promoted, those changes rarely sync across all systems — creating security gaps and frustration. Okta's Universal Directory creates a single source of truth that federates across all these systems.
Phishing, credential stuffing, and password spraying are the most common cyberattack vectors. Once an attacker has a username and password, they can access everything that account touches. Okta's Adaptive MFA adds a second verification factor — and its Identity Threat Protection detects anomalous behavior, like logging in from two countries simultaneously, and blocks the session in real time.
SOX, HIPAA, PCI-DSS, SOC 2, ISO 27001, GDPR — all require audit trails of who accessed what, when. Without a centralized identity platform, assembling this evidence is a manual nightmare. Okta provides a complete audit log of every login, every app access, every MFA event, and every provisioning change — searchable and exportable for compliance reporting.
Employees work from home, coffee shops, and hotels on personal devices. Partners need access to specific apps. Contractors need temporary access. The old model of trusting anyone inside the corporate network doesn't work. Okta's adaptive policies grant or deny access based on who you are, what device you're using, where you are, and what you're trying to access — enabling Zero Trust.
Okta is not just one product. Here is the full product ecosystem and how the pieces connect.
The core Okta product most enterprises use — SSO, Adaptive MFA, Universal Directory, Lifecycle Management, and Identity Governance all working together to manage employee access to work applications. This is what IT, HR, and security teams deploy to replace legacy on-prem IAM solutions and enable hybrid-cloud access.
Okta acquired Auth0 in 2021 for $6.5 billion. Auth0 is the developer-friendly CIAM (Customer Identity and Access Management) platform — used by companies building apps to handle their end-users' registration, login, MFA, and social login. While Workforce Identity is for IT/security teams, Auth0 is for software engineers building user-facing products.
A PAM-like capability for managing privileged access — who can log into servers, databases, and critical infrastructure. Provides just-in-time access, session recording, AD password management, and vault-style credential checkout. Extends the Okta platform into the privileged account management space previously dominated by CyberArk.
Goes beyond point-in-time authentication decisions to continuously evaluate risk throughout a user's active session. If a user authenticates normally at 9am then tries to access sensitive data at 3pm from a different location, ITP can automatically challenge or terminate the session — even without a new login event.
Scans the identity environment for risky configurations and exposures — users with excessive permissions, dormant privileged accounts, weak MFA policies, shadow apps, service account risks, and AI agent identity exposures. Provides a risk score and remediation guidance, similar to how Tenable or Qualys does for infrastructure vulnerabilities.
The newest capability — managing identities for AI agents that act autonomously on behalf of humans. Registers AI agents in Universal Directory, enforces least-privilege access policies, provides audit trails of agent actions, and integrates with Cross App Access (XAA) to control what agents can do across different applications. Addresses a rapidly growing security gap as enterprise AI adoption accelerates.
SSO is usually the first thing organizations deploy with Okta, and the foundation everything else is built on.
An employee navigates to Salesforce.com (or any other Okta-connected app). Salesforce doesn't let them in directly — instead, it sees they're not authenticated and redirects them to Okta (the Identity Provider) using either a SAML or OIDC redirect.
The user arrives at the Okta login page (which can be branded with the company's logo). They enter their username and password — or if passwordless is configured, they receive an Okta Verify push notification on their phone. Okta checks credentials against its Universal Directory (which syncs with Active Directory, HR systems, or other sources).
Okta evaluates the login context — what device, what location, what network, what time of day, is this a new device, is the IP address known risky. Based on the configured policy, Okta may challenge the user with a second factor (Okta Verify push, hardware key, SMS, biometric) or — if the context looks completely normal and trusted — skip the MFA challenge entirely for a seamless experience.
Authentication succeeds. Okta creates a cryptographically signed assertion (a SAML Assertion or OIDC ID Token) that tells the application: "This is Sarah Chen, she works in the Sales department, she has the Salesforce Sales Rep role, and Okta has verified her identity." This token is digitally signed so the app can verify it wasn't tampered with.
Salesforce receives the signed assertion, verifies Okta's digital signature, reads the user attributes, and logs Sarah into her account — with the correct role and permissions — automatically. The entire process takes under a second. Sarah never had to create a Salesforce password or remember one.
When employees open their browser, they can navigate to their company's Okta URL (e.g., company.okta.com) and see their personal app dashboard — tiles for every application they have access to. One click on any tile launches the app, automatically authenticated. This is the end-user experience that replaces the 40-password chaos.
The OIN is Okta's app catalog — 7,000+ pre-built SSO and provisioning integrations with virtually every SaaS application on the market. Salesforce, Microsoft 365, Google Workspace, Slack, Zoom, GitHub, ServiceNow, Workday, AWS, and thousands more. Most integrations take minutes to configure rather than days, because both Okta and the app vendor have already done the technical work.
Okta's latest authentication evolution. Okta FastPass uses device-bound cryptographic keys to authenticate users with biometrics (fingerprint, Face ID) or a device PIN — no password at all. Combined with FIDO2/WebAuthn hardware keys (YubiKey) or passkeys, organizations can completely eliminate passwords for employee authentication. This is the most phishing-resistant authentication method available.
Okta's IWA (Integrated Windows Authentication) and Desktop SSO capabilities mean that when an employee logs into their Windows or macOS computer with their corporate credentials, they're automatically authenticated to Okta — and therefore to all their apps — without any additional login prompts. The computer login IS the identity verification.
Okta's MFA is "adaptive" because it doesn't apply the same friction to every login — it uses risk signals to decide when to challenge and when to trust.
Challenging a user with MFA every single time they open Slack from their desk is annoying and creates fatigue (MFA fatigue is a real attack vector — attackers flood users with approval requests hoping they'll accept). Adaptive MFA only steps up to a challenge when the risk signals say something is off — a new device, a new country, an unusual time, a known risky IP, or a behavioral anomaly. Trusted logins flow through frictionlessly.
Okta's risk engine evaluates: Device (is this a registered, managed device?), Network (is this IP in a known risky zone?), Location (is this a new city, state, or country?), Behavior (has this user logged in at this time before?), Velocity (could the user have physically traveled between their last login location and this one?). It combines these into a risk score that drives the policy decision.
The Okta mobile app sends a push notification to the user's phone. One tap to approve. Also supports TOTP codes (6-digit rotating codes) as a fallback. Number matching prevents blind approval of push fatigue attacks.
Physical security keys (YubiKey, Google Titan) or passkeys stored in device secure enclaves. Completely phishing-proof — the key cryptographically binds to the specific domain, so a fake login page can never capture it.
Via FastPass, Okta Verify, or WebAuthn — users authenticate with the biometric already on their device. The fingerprint or face scan never leaves the device; only a cryptographic proof is sent to Okta.
OTP (one-time passcode) sent via email or SMS. Considered lower-assurance factors due to SIM-swapping and email compromise risks — but acceptable for low-sensitivity applications or as fallback when other factors are unavailable.
Universal Directory (UD) is the data foundation of everything Okta does. Before understanding SSO or lifecycle management, you need to understand UD.
Okta connects to Active Directory (on-prem) via the lightweight AD Agent, to Azure AD / Entra ID via federation, to LDAP directories, to HR systems (Workday, SuccessFactors, BambooHR) as authoritative identity sources, and to any custom source via XaaS (Anything-as-a-Source). All users from all sources are imported into UD and given a single Okta identity.
Different systems can own different attributes. HR system owns: first name, last name, department, manager, job title. Active Directory owns: username, groups. Okta UD owns: MFA preferences. This prevents attribute conflicts — when Workday changes someone's department, UD updates, which pushes to all connected apps. Profile mastering makes the right system authoritative for the right data.
UD isn't limited to standard attributes. Organizations can define completely custom attributes on user profiles — a "security clearance level," an "onboarding ticket number," whether a contractor agreement has been signed, their preferred language, their cost center code. These custom attributes can be used in group rules, access policies, and provisioning mappings.
Groups in Okta can be populated manually or via rules — conditions that automatically include users matching certain criteria. "Any user whose department = 'Engineering' AND location = 'US' is in the US-Engineering group." When an attribute changes (an employee transfers to a different department), group membership updates automatically, which in turn updates app access automatically.
A lightweight agent installed in the on-prem environment that creates a real-time, one-way sync from Active Directory into Okta Universal Directory. The agent doesn't open any inbound firewall ports — it polls outbound to Okta over HTTPS. This allows organizations with existing AD investments to extend their identity into the cloud without replacing AD.
UD also stores device objects (laptops, phones), service account identities, API keys, and now AI agent identities. This allows policies to be applied to non-human entities in the same way as human users — registering an AI agent in UD and assigning it the least-privilege access it needs to do its job, just like a new employee.
Lifecycle Management (LCM) automates the complete access journey from day one to last day — the "JML" process that identity professionals call Joiner-Mover-Leaver.
HR adds the new hire in Workday. Okta detects the new record, creates their account in Universal Directory, adds them to the correct groups based on their department and role, and provisions accounts in every app they need — Slack, Zoom, Microsoft 365, GitHub, Salesforce — automatically. Day-one access is ready before they arrive.
An employee is promoted or transfers departments. HR updates Workday. Okta detects the attribute change, removes them from their old department groups (revoking apps they no longer need), adds them to their new department groups (granting new apps), and updates their profile across all connected systems — automatically, often before IT even knows about the change.
An employee's last day arrives. HR marks them as terminated in Workday. Okta deactivates their account in Universal Directory, which triggers deprovisioning across every connected app simultaneously — Slack, email, GitHub, VPN, all cloud apps. Access is revoked in minutes, not days. Active sessions are terminated. The risk window of a departed employee retaining access closes immediately.
SCIM (System for Cross-domain Identity Management) is the standard protocol Okta uses to provision and deprovision user accounts in connected applications. When Okta needs to create a user account in Salesforce, it sends a SCIM API call. When a user leaves, it sends a SCIM deactivation. Over 1,000 apps in the OIN support SCIM for automated provisioning. Apps that don't support SCIM can be handled via Okta Workflows.
Birthright access means every person in a given role automatically gets the apps and permissions they need as part of joining that role — without any IT ticket or manual approval. An engineer added to the Engineering group automatically gets GitHub, Jira, and the CI/CD pipeline. A salesperson added to Sales automatically gets Salesforce and LinkedIn Sales Navigator. Defined once, applied automatically forever.
Employees accumulate access over time — requesting tools they later stop using, retaining access from old roles during department moves. Okta Identity Governance runs periodic access reviews (certification campaigns) where managers are asked to review their team's app access and confirm or revoke it. This ensures access is current, intentional, and defensible for compliance audits.
Okta is built entirely on open standards. You don't need to understand the cryptographic details, but knowing these acronyms is essential for any identity practitioner.
The original enterprise SSO standard. XML-based. Okta can be either the Identity Provider (IdP) or Service Provider (SP). Dominant for enterprise SaaS apps like Salesforce, ServiceNow, and Workday. Uses signed XML assertions to prove identity. Widely supported but older and more complex than OIDC.
The modern identity protocol. JSON-based and developer-friendly. Built on OAuth 2.0 and adds an identity layer. Issues ID Tokens (JWTs) that carry user claims. Preferred for modern apps, mobile apps, and SPAs. Simpler to implement than SAML. Dominant in the Auth0/CIAM world and increasingly in enterprise Okta integrations.
The standard for delegated authorization — allowing apps to act on behalf of users without sharing passwords. Issues access tokens that grant permission to specific resources with defined scopes. Okta's API Access Management uses OAuth 2.0 to protect APIs. OIDC is built on top of OAuth 2.0.
The standard for automated provisioning — Okta uses it to create, update, and deactivate user accounts in target applications over a REST API. Without SCIM, provisioning requires custom scripts or manual work. With SCIM, Okta can fully manage the user account lifecycle in any compliant application automatically.
The protocol used to query and modify on-premises directory services like Active Directory. Okta uses LDAP via its AD Agent to sync users from on-prem AD into Universal Directory. Also used to connect other LDAP directories (OpenLDAP, Oracle Directory) as identity sources.
Access management tells you who can get in. Identity Governance tells you who SHOULD have access, ensures they only have what they need, and proves it to auditors.
Okta can automatically generate access reviews — sending managers a list of every app their team members can access, and asking them to certify (keep), modify, or revoke each item. Reviews can be triggered on a schedule (quarterly), on events (someone changes roles), or for specific high-risk app groups. Results are tracked, timestamped, and exportable for compliance audits.
Instead of emailing IT for access to a new tool, employees browse an app catalog in their Okta dashboard and request access with a click. The request is automatically routed to the right approver (manager for low-sensitivity apps, manager + security for admin access). Approval grants the access via SCIM. The whole process is auditable, replacing the email trail with a structured workflow.
SoD rules prevent the same person from holding permissions that should never coexist — for example, someone who can both create purchase orders and approve them, creating a fraud risk. Okta OIG lets organizations define SoD policies, and any access request that would violate a rule is automatically blocked or flagged for special review before being granted.
Beyond "user has access to Salesforce," entitlement management controls what role within Salesforce — Marketing User, Sales Rep, Admin. Okta OIG can manage these fine-grained permissions directly for SCIM-connected apps, assigning specific roles, permission sets, and resource groups from the Okta console — with the same governance, approval, and certification process as app-level access.
Okta logs every event — every login attempt (successful or failed), every MFA challenge, every app access, every provisioning event, every policy change, every admin action — with a timestamp and user context. The System Log is queryable, filterable, and exportable. For SOC 2 audits, PCI-DSS assessments, or incident investigations, you can reconstruct exactly what happened and when.
Okta Privileged Access extends governance to the most sensitive accounts — server SSH access, database logins, Windows admin accounts. Provides just-in-time (JIT) access (accounts are granted temporarily and automatically revoked after the session), session recording for audit purposes, Active Directory account password management and rotation, and break-glass emergency access with approval workflows.
Okta Workflows is a no-code/low-code automation platform built directly into Okta. It lets identity teams automate complex, multi-step processes that the standard lifecycle management can't handle out of the box.
Workflows are built visually in a flowchart-style canvas — no coding required. Connect event triggers to action cards using a drag-and-drop interface. Add conditional logic (if/else), loops, error handling, and delays. Each card represents one action: create user in an app, send an email, make an API call, check a condition, run a sub-flow. IT admins with no programming background can build powerful automations.
Any Okta event can trigger a workflow: user created, user deactivated, user added to group, MFA factor enrolled, password changed, login from new device, app assigned. External triggers via webhook or API are also supported. This means complex processes can be automated the moment the triggering event occurs — zero delay between an HR system update and the resulting access changes.
Workflows includes built-in connectors for 60+ external applications — Slack, ServiceNow, Jira, Salesforce, Box, DocuSign, Twilio, Google Workspace, and more. Each connector provides pre-built action cards (create ticket in ServiceNow, send Slack message, update Salesforce record) so Workflows can orchestrate processes that span Okta and external systems without custom API integration work.
Standard lifecycle management handles simple scenarios. Workflows handles the edge cases: a student who simultaneously becomes a teaching assistant; a contractor who converts to full-time; a user who needs temporary elevated access for a specific project; an employee on parental leave who should retain some access but have others suspended. These nuanced processes can be fully automated in Workflows.
Workflows can automatically export access reports to a SharePoint site every quarter, create and close ServiceNow tickets when access reviews are completed, send certification reminders to managers who haven't responded, and archive completed review results to a compliance repository — turning manual compliance documentation into an automated, auditable process.
Many organizations have business unit managers who need to manage their own team's app access without becoming full Okta admins. Workflows enables self-service delegation — a manager can approve/reject access requests, add their team members to specific groups, and run basic reports, all within a limited, role-appropriate interface, without IT involvement for every routine change.
Auth0 is Okta's platform for Customer Identity and Access Management (CIAM) — used by developers building applications to handle their end-users' authentication.
Workforce Identity (standard Okta) manages your employees' access to work apps — IT-driven, enterprise-focused, low user volume (hundreds to thousands). Customer Identity (Auth0) manages your customers' logins to your product — developer-driven, consumer-focused, massive scale (millions of users, unpredictable traffic spikes). Different tools, built for fundamentally different problems, unified on the same Okta platform.
Auth0's Universal Login provides a fully hosted, customizable login/signup page that developers can embed in their app in minutes. Handles registration, login, password reset, social login (Google, Apple, GitHub, Facebook), and MFA — all without developers building these flows themselves. Fully branded to match the product's design.
Auth0 provides pre-built social login integrations — users can sign up and log in with their existing Google, Apple, Microsoft, GitHub, LinkedIn, or Facebook accounts. No new password needed. Auth0 handles the OAuth dance with each provider and creates a unified user record in its database — critically useful for consumer apps where registration friction causes drop-off.
Auth0's newest capability — a complete authentication solution for AI agents. Developers can add enterprise-grade authentication, token management, async approvals, and fine-grained access controls to their AI agents with a few lines of code. When an AI agent needs to take an action (book a meeting, send an email) on behalf of a user, Auth0 handles the authorization flow securely — with human-in-the-loop approval capabilities.
Zero Trust is a security model built on one principle: "Never trust, always verify." Okta is the identity control plane that makes Zero Trust practical.
The traditional security model assumed that anything inside the corporate network was safe. Now, employees work from anywhere, apps live in the cloud, and attackers have proven they can get inside the network. Zero Trust abandons the idea of a "safe inside" — it verifies every access request regardless of where it comes from, using identity + device + context to make the decision.
Every access request — to an app, a server, an API, a file — passes through Okta's policy engine. Okta evaluates: Who is this? (Identity) Are they who they claim to be? (Authentication) Is their device healthy? (Device posture via Okta Device Access) Should they have this access? (Authorization via policy) Is this behavior consistent with their profile? (Continuous risk evaluation). Access is granted only when all checks pass.
Okta Device Access integrates with MDM solutions (Microsoft Intune, Jamf, VMware Workspace ONE) to verify device health before granting access. Is the device enrolled in MDM? Is the OS up to date? Is disk encryption enabled? Is the antivirus running? A user with valid credentials on an unmanaged personal laptop can be blocked or restricted to lower-sensitivity applications.
Traditional security checks identity at login and then trusts the session for hours. Okta Identity Threat Protection continuously re-evaluates risk throughout active sessions. If something changes mid-session — the IP address shifts to a known bad actor range, a threat intelligence feed flags the device, behavior becomes anomalous — Okta can terminate the session or force re-authentication without waiting for the next login.
Okta's Secure Partner Access and External Identity capabilities extend Zero Trust beyond employees to partners, contractors, and B2B customers — people who need access to some of your systems but aren't full employees. They get their own limited identity in Okta (or federate from their own identity provider) with access policies appropriately scoped to exactly what they need and nothing more.
From a two-person cloud IAM startup to the world's dominant identity platform.
Todd McKinnon (former SVP Engineering at Salesforce) and Frederic Kerrest co-found Okta in San Francisco with one thesis: as apps move to the cloud, every company will need a cloud-native identity platform to manage access. The traditional on-premises IAM solutions (CA, IBM, Oracle) can't adapt fast enough. Seed funding from Andreessen Horowitz and Sequoia Capital.
Okta launches its Workforce Identity product, starting with SSO and MFA. Early enterprise customers validate the cloud IAM concept. Okta differentiates on deep Active Directory integration (the AD Agent) — letting enterprises with existing AD investments extend into the cloud without ripping and replacing.
Okta goes public at $17/share, raising $187 million. The IPO validates the identity-as-a-service market. Okta accelerates growth, expands internationally, and begins building out its platform beyond SSO/MFA — adding Lifecycle Management, Universal Directory enhancements, and early API access management capabilities.
Okta expands its platform significantly — launching Advanced Server Access, Access Gateway (for legacy apps), and deepening its Zero Trust capabilities. The COVID-19 pandemic creates a massive tailwind as every organization scrambles to enable secure remote access. Okta's revenue accelerates sharply as the enterprise SSO/MFA market rapidly expands.
Okta acquires Auth0 for $6.5 billion in stock — the largest identity industry acquisition at the time. Auth0 brings developer-focused CIAM, the Auth0 identity platform, and a massive developer community. Okta now addresses both Workforce Identity (IT-driven) and Customer Identity (developer-driven) — completing its two-sided identity strategy.
Lapsus$, a cybercriminal group, breaches Okta's support system vendor (Sitel/Sykes) — gaining access to an Okta support engineer's laptop. The incident affected a small number of customers but severely damaged trust. Okta responds with a major security overhaul — tightening third-party vendor access, implementing more rigorous privileged access controls, and launching the Secure Identity Commitment initiative.
Okta launches Okta Identity Governance (OIG) — moving from access management into the IGA space previously dominated by SailPoint and Saviynt. OIG adds access request workflows, access certification campaigns, and entitlement management to the Okta platform, allowing organizations to consolidate IAM and IGA on a single vendor.
Okta announces its vision of the "Identity Security Fabric" — a unified architecture integrating IGA, PAM (Privileged Access), ITDR (Identity Threat Detection and Response), and access management into one cohesive platform. Launches Okta Privileged Access, Identity Security Posture Management, Identity Threat Protection with Continuous Re-evaluation, and Okta for AI Agents to manage non-human identities at enterprise scale.
Okta certifications are highly regarded in identity and security — and Okta skills appear in the majority of IAM job postings.
Every important Okta and identity management term from this guide, defined in plain English.