Customers of Okta’s Identity and Access Management (IAM) platform that also have an on-premise Active Directory link the two directories using Okta’s DC Agent, which employs a technology Okta dubs Delegated Authentication. This means that when a user authenticates to Okta, either at their web portal or via a Federated authentication connection, the username and password they supply is not verified against the Okta directory. Instead, Okta takes the supplied username and password and immediately checks them against the on-premise Active Directory via the DC Agent connection registered in the Okta tenant. This means that there actually is not a permanently stored (and synchronized) password at Okta. But rather, Okta temporarily remembers the password that the end-user supplied during the login process (after the on-premise Active Directory confirms the values are correct). Then, Okta applications can utilize this remembered password in future third-party application authentications.
A similar process occurs when an Okta user changes their password. Since there is no permanently stored password for the end-user in Okta, the newly chosen password is pushed down to the on-premise active directory for storage. But, the new password must meet the on-premise active directory password policy in order for the password change to be successful. Since Password Firewall operates as an extension to the normal Active Directory password policy, any Password Firewall checks must also be successful.
So, this means that when end-users update their password in the Okta portal, those passwords are still scrutinized by Password Firewall. And this is a good thing, because Okta becomes the central authentication hub of all cloud services for companies. Successful logins to Okta provide significant access to other third-party applications. This means that passwords in use at Okta need to be strong and definitely not passwords that have already been leaked in a public data breach.
The Final Answer
Password Firewall for Windows prevents use of bad passwords and is a great way to protect your Okta-enabled end-users.
