A
Activate: The action of sending an email to users in an Okta organization that instructs them to complete specific steps to activate their account.
Activated: Status that indicates users have followed the steps to activate their account. Until they do so, their status is Provisioned.
Adaptive multi-factor authentication (AMFA): Configure Okta policies for adaptability authentication challenges, and control access according to the level of risk a user presents at the moment of their login, based on user context, such as location and device. (See also multi-factor authentication.)
Audit notes: Reason or ticket number for a Deep Link session to connect from ZeroTek to Okta. A useful record for auditing purposes.
Authentication policy: Pre-application-level policy that verifies that users who try to access the app meet specific conditions and enforces special authentication/factor requirements based on those conditions.
Authenticator: The way a user verifies their identity in Okta. Sometimes referred to as a factor.
Authenticator enrollment policy: Controls how and when end users enroll in an authenticator.
B
Biometrics: Physical human characteristics like fingerprints, facial recognition, voice recognition, and so on, that are unique to an individual. Used for identification and access control.
Block list: Group of items that are not allowed. In the context of identity and access management, items in this list will be denied access to any object the list applies to. A block list could contain network zones, countries, IP addresses, employees, and so on.
Bring Your Own Device (BYOD): Bring Your Own Device refers to someone using a personal device (phone, tablet, computer) in a workplace setting. Device trust with ZeroTek lets you restrict Okta or app-level access to registered or managed devices in a BYOD scenario.
Bring Your Own License (BYOL): Bring Your Own License refers to Okta orgs where the Okta licenses were acquired through Okta or another third party, not ZeroTek. You must follow a special procedure to add an existing Okta organization to ZeroTek.
C
Customer: Entity for which you are providing identity and access management. Each customer contains one or more organizations, although most contain only one. (See also Okta Org and Organization.)
D
Deactivated: User status that indicates the user has been deprovisioned from all assigned applications, but they still exist in the system. Deactivation is the first step before deleting a user. Deactivated users consume an Okta license until they are deleted.
Deep Link account: A highly privileged user account that allows eligible ZeroTek users to SSO into customer Okta Admin consoles.
Deep Linking: ZeroTek feature that lets eligible ZeroTek users SSO into customer Okta Admin consoles from ZeroTek in a single click. Deep linking makes it easy to maintain ZeroTek as a control center for multi-tenant Okta management.
Device: Personal hardware (computer, phone, tablet) used to connect to a network. How you deal with devices is an essential component of identity and access management. (See also managed device and registered device.)
Device trust: A process that ensures that end users can access Okta-integrated applications only from trusted devices.
Duo authenticator: Duo is an authentication security platform. It is one of the authenticators you should avoid or use with caution. (See Authenticators – MSP best practices.)
Dynamic zone: Defines network perimeters based on location, IP address type, and autonomous number (ASN). (See also IP zone).
F
Factor : The way a user verifies their identity in Okta. Okta Identity Engine (OIE) terminology now primarily uses authenticator.
FIDO2 WebAuthn: Authenticator that lets you use a biometric method like fingerprint reading to authenticate. We recommend that MSPs configure the FIDO2 WebAuthn authenticator as a secondary authenticator for most users.
G
Global session policy: Defines who has access to Okta and how users gain access to Okta (additional authenticators, session length and idle time).
Google Authenticator: Google Authenticator authenticates time-based one-time passwords (TOTP). We do not recommend Google Authenticator for most users; however, it should still be an active authenticator in all Okta Orgs because it is part of how ZeroTek secures several service/admin accounts including the Deep Link account.
Group: Defines one or more users to whom you want to apply the same configuration. Groups drive Okta policy assignments and user provisioning. Policies and permissions assigned to a group flow automatically to the users who are members of that group. MSPs benefit from standardizing groups and group names.
Group-based licensing: The process of creating a group for each required license type to automatically assign the appropriate license level to members of that group.
Group rules: The criteria by which users are automatically assigned to groups in ZeroTek and Okta.
H
HR-as-a-master: One of the options for user mastery, where users are created in an HR system (Workday, UtilPro, Bamboo HR), then imported into Okta. The HR system is designated and configured as the single source of truth for users. ZeroTek generally recommends using an Okta-mastered strategy, but if an HR system exists, an HR-mastered strategy should be seriously considered. Reach out to ZeroTek Support ([email protected]) for further guidance.
I
Identity and access management (IAM): Policies and configuration for how users access their organization's resources (data, apps, files).
Identity provider (IdP): The system that manages digital identities, serving as the single source of truth for all users.
IP zone: Defines network perimeters based on individual IP addresses or address ranges. (See also dynamic zones.)
ImmutableID: A unique string attribute associated with a Microsoft 356 (M365, formerly Office 365) user. All M365 users must have the ImmutableID attribute populated with a unique string before import to Okta or they will lose access to M365 apps when the Microsoft domain is federated with Okta.
L
Log Viewer: ZeroTek feature that lets you quickly access and search relevant Okta log events to support efficient troubleshooting without having to leave the ZeroTek interface.
M
Managed device: A device that is not only registered in Okta but also managed through an endpoint management tool such as Unified Endpoint Management (UEM) or Mobile Application Management (MAM) platforms. (See also registered device and device.)
M365-mastered: One of the options for user mastery, where users are created in Microsoft 365 (M365, formerly Office 365) and imported into Okta. M365 is designated and configured as the single source of truth for users. ZeroTek recommends using an Okta-mastered strategy.
MSP-Okta Integration account: Account that ZeroTek automatically creates whenever you create a new Okta org in ZeroTek. Required for the integration between ZeroTek and Okta to work, it is automatically assigned Okta Super Administrator privileges. This account consumes an Okta license and is useful for auditing.
MSP-Okta Infrastructure zone: A recommended network zone that identifies the dedicated IP address for ZeroTek services. The IP address is essential for secure communications between your MSP's instance of ZeroTek and all its connected Okta orgs.
Multi-factor authentication (MFA): Users must prove their identity in more than one way when they sign in. For example, Okta Verify and FIDO2 WebAuthn.
N
Network zone: A network zone is a configurable boundary that you can use to grant or restrict access in Okta to computers and devices based on the IP address that is requesting access.
O
OktaADAgent account: Account you should create manually when integrating an Okta Org with on-prem Active Directory.
Okta Integration Network (OIN): A catalog of over 8000 Okta-supported applications for integration with Okta.
Okta Lifecycle Management (LCM): The process of provisioning and deprovisioning a user's application access. Okta LCM does this primarily through Okta groups and group rules.
Okta-mastered: The recommended option for user mastery, where users are created in Okta (often from ZeroTek) and pushed to other identity directories.
Okta Object ID: An ID string that uniquely identifies an individual object in Okta, such as a user, group, or an Okta-integrated application. The ZeroTek Log Viewer lets you filter Okta system log events byOkta Object ID to display only events that were generated by a specific object or actions taken against that object.
Okta org: An Okta organization (org) contains all the resources associated with your Okta environment, including users, groups, applications, policies, and configurations. ZeroTek automatically provides an Okta license to you when you create an Okta org and add users. (See also organization.)
OktaRADIUS account: A service account you should create manually if your Okta org is integrated with on-prem AD and RADIUS.
Okta Super Administrator: User role with the highest Okta permissions. Super Admins have full management access.
Okta Verify: Okta Verify is a multi-factor authentication application. We recommend that MSPs use Okta Verify as the primary authenticator for most users.
On-prem AD-mastered: One of the options for user mastery, where users are created in on-prem Active Directory, then imported into Okta. ZeroTek recommends using an Okta-mastered strategy.
OpenID Connect (OIDC): An authentication protocol based on the 0Auth 2.0 framework that you can use for secure single sign on (SSO) with application integrations in the Okta Integation Network (OIN).
Organization: Represents a single identity directory. Also referred to as a tenant. (See also Okta org and tenant.)
P
Password: Authentication option. We recommend MSPs leave Password as an active authenticator but to reserve its use exclusively for authenticating Okta user accounts with legacy systems that require passwords, such as RADIUS and on-prem AD-joined machines.
Password policy: Policy to configure password settings and apply them to specific groups.
Policy: Configuration and settings that you can apply to specific groups. (See also authentication policies, authenticator enrollment policies, global session policies, and password policies.)
Provisioned: User status for users who have been sent an Okta activation email but have not completed the activation process.
Provisioning rules: Rules related to user account information that helps with setting up your identity and access management infrastructure.
R
Registered device: Any device with the Okta Verify authenticator app installed on it, through which a user has enrolled their Okta user account. (See also device and managed device.)
Risk score: Data-driven analysis that determines how likely a sign-in event represents malicious activity. When assessing risk level, Okta evaluates the IP address, behavioral information about the user, previous successful and failed sign-ins, and routing information, then assigns a risk level.
S
Secure web authentication (SWA): Technology Okta uses to provide single sign-on (SSO) for web applications that don't support federated protocols like SAML, OpenID Connect (OIDC), or Web Services Federation (WS-Fed).
Security Assertion Markup Language (SAML): Authentication standard for exchanging identity data between two entities.
Service account: User account dedicated to non-human, non-interactive logins by things like Windows services or applications that allows the associated services/applications to run. An Okta service account is set up for services to use. (See also MSP-Okta Integration account, Deep Link account, OktaADAgent service account, and OktaRADIUS service account.)
Staged: User status that indicates users have been created but not yet sent an activation email. Appears when an admin chooses not to send an activation email automatically.
Suspended: User status that indicates user has been blocked from accessing Okta, but all of their settings and assignments are saved so that they can be reinstated if you later unsuspend the user.
System Access: Area in the ZeroTek UI that provides global visibility for user and group access permissions. Managing user and group access from the System Access area can negatively affect critical configurations set up during onboarding. This area is designed for outlier and advanced use cases.
T
Tenant: Generic term for an organization, which is ZeroTek is typically an Okta org. Tenant and organization are words are often used interchangeably in the context of ZeroTek's multi-tenant platform. (See also organization.)
Time-based one-time password (TOTP): Algorithm that generates a unique password for use only once during a limited time period.
Tor: Open-source software used to enable anonymous communication and hide the location of end users, which can be used to circumvent geofencing.
Tor anonymizer proxy: Tool to obfuscate the user's IP address and support anonymous online activity. ZeroTek recommends configuring a network zone to block any IP address that is a Tor anonymizer proxy.
U
User mastery: A strategy to designate and configure a system as a single source of truth, becoming the only place users are created, updated, and deactivated. Options include Okta-mastered, On Prem AD-mastered, M365 mastered, and HR-as-a-master. ZeroTek generally recommends using an an Okta-mastered strategy.
V
Verify Caller Identity: ZeroTek caller verification uses the Okta Verify authenticator app so you can issue an MFA challenge to a user's phone to make sure the person calling for assistance is who they say the are.
W
Workflow connector: A way to create flows to third-party applications.
WS-Fed: Web Services Federation (WS-Fed) is an XML-based protocol used for Single Sign-On (SSO). It is part of the Web Services Security framework.
Y
YubiKey OTP: An authentication security platform. It is one of the authenticators you should avoid or use with caution. (See Authenticators – MSP best practices.)
Z
ZeroTek Audit: Feature to review ZeroTek log event information for all create, update, and delete actions taken by all ZeroTek users across all customers.
Is there a term you'd like to see defined here? Email [email protected] with your request.