Oktane-2016 conference notes


I attended Octane 2016 conference in Las Vegas in last week of August. Since this was
my first okta conference, I was not aware of what is coming. Overall it went okay
however I expected a lot from an Identity conference. I thought most of the sessions
were targeted towards IT use case of Okta and not the SSO federation.

Here are rough notes and learning’s from the different sessions I attended.

As per the keynote, Okta is focussing on following things to support different
partners needs.

  • Planning to support integration with following for seamless SSO / Auth experience
    • Apigateways - apigee, mulesoft
    • Mobile Dev Platforms - adobe, korny
    • Horizontal Portals
    • File Sync / Share - Box,
    • App Proxies - f5, netscaler, paloalto
    • CRM Solutions
    • Content Management
    • Legacy Identity Providers
  • Shared API access management Roadmap. Okta is planning to invest more on oauth, OIDC capabilities
  • Adaptive risk engine for B2C
  • Expanded API’s and SDK’s for embedding MFA into custom apps
  • Register and Store Identities
    • Registration as a service
    • Delegated Administration for B2B partners
    • Support for 3rd Party directories
  • Customization
    • Custom Outbound email domains
      • Whitelisting
    • Difficult to implement but have not started
    • There are some roadblocks around SSL pinning
    • Okta has to get in the business to manage the certs
    • Who will be the root of Cert
  • WebHooks
    • Simple call out based integration to 3rd party apps

Building a tailored custom authentication experience


  • Principal Engineer: Jose Fernandez
  • Brown-forman and Clay

Use Case / Problem statement

  • They integrated Okta Sign in widget into their website.
    • When user logs in first time, users can register their device
    • They are using okta verify
    • Was able to see device registration flow’s
  • They are using Okta’s user login lifecycle
    • They used active directory to resolve okta user name
    • They are using mongodb as session storage to store user info
    • They were using session storage and polling to sign into different applications
  • Okta has an option where we can set up custom login based on the application and that will be get request with relaystate. If you register the app and associate with IDP, it will be post request with relaystate attribute
  • Had to handle X-forwarded-for
  • Addressed OWASP top 10 cases.

Securing apps using in app browser pattern

  • Presented by google engineers
  • In App Browser Tabs pattern
    • Running in a separate process and hence secure
    • It cants read cookies or inspect contents
    • Shared cookie state Ex. Gmail
  • iPhone Native App - SafariViewController
    • Windows phone - Edge
    • Most devices support in-app browser tabs today. Web view is more outdated pattern.
    • Google is ending support for oauth in web view
  • Authorization server requirements for AppAuth
    • Support custom uri-custom scheme redirect uri
    • Support PKCE

Key Takeaways

  • Okta expanding its offerings to support different business segments.
  • Google is releasing AppAuth - oauth client libraries for apps, see more at
  • Companies moving towards Contextual access management

If there is one thing, I would have liked more in the conference, it would have been
adding more dev sessions showcasing different architectures people are using Okta for

Hope to join Okta 2017! Till then, keep learning!