<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
TLS and the Okta Provisioning Agent
Sep 17, 2025
Lifecycle Management
Okta Identity Engine
Overview

The Transport Layer Security (TLS) v1.2 protocol is required to install the Linux and/or Windows Okta Provisioning Agent. This protocol is one of the prerequisites for installing the Okta Provisioning Agent (OPP) agent. 

Applies To
  • On-Premise Provisioning
  • Okta Provisioning Agent (OPP)
  • Linux OS
  • Windows OS
Solution

Okta supports on-premises provisioning when it is implemented by Okta Professional Services or a Certified Partner.

 

On-premises provisioning only supports the SCIM 1.1 specification.
 

Prerequisites

To implement Okta on-premises provisioning, Admins need the following:

  • The Okta Provisioning Agent is installed on a Windows or Linux server.
  • A SCIM server will process the provisioning requests sent by the Okta Provisioning Agent. The SCIM server can be the connector built using the Okta Provisioning Connector SDK or an Admin's own program that can process SCIM based REST calls.
    • The Okta Provisioning Connector SDK package contains an example connector that can be used to test on-premises provisioning and to help build its own connectors. Do not attempt to use the example connector without modifying it for deployment.
  • The Transport Layer Security (TLS) v1.2 protocol for Linux and Windows.
  • For high-availability on-premises provisioning, Admins must install an additional Okta Provisioning Agent and SCIM connector on another server. They must start the Okta Provisioning Agent, configure the SCIM connector, and enable provisioning on the Admin's backup server. If an Admin's primary server is unavailable, the Okta Provisioning Agent and the processes run by the SCIM connector continue to operate.

The Transport Layer Security (TLS) v1.2 protocol is required to install the Linux and Windows Okta Provisioning Agent.

Linux

To enable TLS version 1.2, Admins must access the Java Control Panel to change the JRE.

  1. Download and install the Okta Provisioning Agent. See Install the Okta Provisioning Agent.
  2. Navigate to …/opt/OktaProvisioningAgent/conf/settings.conf.
  3. In settings.conf, change the arguments passed to the agent by adding:

    Dhttps.protocols=TLSv1.2 to JAVA_OPTS.

    JAVA_OPTS="-Xmx4096m -Dhttps.protocols=TLSv1.2

Windows

TLS version 1.2 is enabled by default on most Windows systems.

Systems running earlier versions, such as Windows Server 2012 (non-R2), may not have TLS 1.2 enabled. To enable TLS 1.2 on those systems, see How to enable TLS 1.2.

 

Related References

Recommended content

Still looking for help?
Loading
TLS and the Okta Provisioning Agent