<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Stored Information of Okta Agents
Mar 24, 2025
Administration
Okta Classic Engine
Okta Identity Engine
Overview

This article addresses what information is stored in Okta Agents installed on local servers.

Applies To
  • Service Account credentials
  • Okta Agent
  • Local server
Solution

Credentials

Okta Agents installed on local servers store service account credentials in generally the same manner across all Agents and Operating Systems.

Windows Servers

During installation, service account credentials are stored in the Windows Security Account Manager (SAM), not in the Agent installation. This is true for all Windows Agents except the Okta LDAP Agent for Windows, which uses the same process as the Okta LDAP Agent for Linux.

Linux Servers

During installation, service account credentials and OAuth encryption key information are stored in a Java Keystore bound to the installation and only accessible by the service account.

For the Okta LDAP Agent for Windows, the Java Keystore is bound to the installation and accessible by the local Administrators group.

 

Tokens

Communication between local Okta Agents and Okta servers uses OAuth 2.0 Demonstrating Proof of Possession (DPoP), which is refreshed regularly. The public and private keys are salted, hashed, and encrypted in an Agent configuration file stored locally on the server.

 

The DPoP token is sender-constrained and device-bound, meaning that the Agent itself is registered as an Okta-managed device and can only communicate from the server in which it is installed

Sequence diagram that displays the communication between the client, authorization server, and resource server for Demonstrating Proof-of-Possession

In Windows Agents, the RSA key pair is encrypted and bound to the Agent service account using the Windows Data Protection API (DPAPI).

In Linux Agents, the RSA key pair is encrypted and bound to the Agent service account using the Java Keystore.

 

Logs

Okta Agent stores rolling log files to assist in troubleshooting issues that may arise. These files may contain local server hostnames, IP addresses, usernames, group names, or email addresses. If logs are saved in "verbose" or "debug" mode, additional information may be stored, such as profile attributes and group attributes. These files are overwritten as needed to keep the Agent footprint to a minimum.

 

Related References

Recommended content

Still looking for help?
Loading
Stored Information of Okta Agents