How does Smallstep integrate with Okta?
Frequently Asked Questions about Smallstep Device Identity with Okta
- What is Smallstep Device Identity, and how does it enhance security with Okta?
Smallstep Device Identity is a security solution that binds a cryptographic ID to a device's silicon, ensuring that only authorized, company-managed devices can access sensitive resources protected by Okta. It acts as an additional security factor during the login process, verifying the device's identity, in addition to the user's identity. This prevents access from unauthorized devices, even if user credentials have been compromised, and can even replace Okta Adaptive MFA.
- How does Smallstep's device authentication differ from using a YubiKey?
While a YubiKey verifies the identity of a person, Smallstep Device Identity verifies the device itself. A YubiKey can be used on any device, which creates a potential attack vector. Smallstep binds a cryptographic key to the device's hardware making it non-exportable, which prevents attackers from using stolen credentials on unmanaged devices. This approach offers a higher level of assurance that only trusted devices are accessing sensitive data.
- Does using Smallstep Device Identity create a burden for end users?
No, Smallstep Device Identity is designed to be transparent to the user. Once a device is authorized, the user will not experience any additional prompts or interruptions at login when accessing resources protected by Okta. There are no additional keys to plug in or codes to enter because the silicon becomes the key.
- How does Smallstep integrate with Okta?
Smallstep integrates with Okta as an external Identity Provider (IdP) factor. It utilizes OpenID Connect (OIDC) flows for authentication and System for Cross-domain Identity Management (SCIM) for user and group synchronization. This allows Smallstep to communicate with Okta for device verification and automatically manage user provisioning within the Smallstep platform based on Okta group memberships.
- What are the key benefits of implementing Smallstep Device Identity with Okta?
Key benefits include:
- High-Assurance Device Checks: Ensures that only authorized devices can access sensitive resources.
- Non-Exportable Keys: Device authentication keys are bound to the device's silicon, preventing them from being moved to other devices and limiting attack vectors.
- Reduced Risk: Prevents access from compromised personal devices and malware attacks.
- Seamless User Experience: Adds security without requiring extra steps or credentials at login.
- Cost-Effective: Can serve as a replacement for Okta Adaptive MFA.
- Simplified Security: Makes it easier to reason about and mitigate attack vectors.
- What Okta configurations are required to integrate with Smallstep?
You need an Okta Super Administrator account, and an Okta Lifecycle Management Subscription. You also need to create two Okta groups: one for users who should have SSH access and another for users who should have sudo privileges. You'll then create an OIDC application in Okta, assign the relevant groups to the app, and install/configure the Smallstep application in Okta, ensuring that user and group provisioning is enabled. You also need an account on the Smallstep platform.
- What provisioning features does the Smallstep and Okta integration support?
The integration supports features like:
- Push Groups and New Users: New users created in Okta are created in Smallstep.
- Push Profile or Group Updates: Changes made to user profiles or group memberships in Okta are synchronized with Smallstep.
- Push User Deactivation: Deactivating a user in Okta also deactivates them in Smallstep, preventing access, but also preserving user data on managed hosts.
- Reactivate Users: User accounts can be reactivated in Smallstep from Okta.
- What type of systems and resources can be protected with Smallstep Device Identity?
Smallstep Device Identity can protect a wide range of resources, including:
- Financial data, code repositories, SSH servers, Personally Identifiable Information (PII), and other sensitive resources.
- Wi-Fi, VPN, ZTNA, public SaaS apps, internal web apps, and cloud APIs Smallstep provides access control for many types of systems, preventing unauthorized access even if user credentials are compromised.