An error occurred:

Okta Identity as a Service (IDaaS) STIG Version Comparison

Okta Identity as a Service (IDaaS) Security Technical Implementation Guide

Comparison

There are 5 differences between versions v1 r1 (April 22, 2025) (the "left" version) and v1 r2 (Jan. 5, 2026) (the "right" version).

Check OKTA-APP-003240 was added to the benchmark in the "right" version.

This check's original form is available here.

Text Differences

Title

Okta API tokens must be configured with Network Zones to restrict authorization from known networks.

Check Content

From the Admin Console: 1. Select the "Security" menu, and then click the "API" item. 2. Click the "Tokens" tab. 3. For each token listed, click the token name link. 4. In the "Security" section, verify the "Token can be used from" setting is mapped to a known network zone for the application calling the API. If a network zone for each API access token is not defined, this is a finding.

Discussion

An access token is a piece of data that represents the authorization granted to a user or NPE to access specific systems or information resources. Access tokens enable controlled access to services and resources. Properly managing the lifecycle of access tokens, including their issuance, validation, and revocation, is crucial to maintaining confidentiality of data and systems. Restricting token validity to a specific audience, e.g., an application or security domain, and restricting token validity lifetimes are important practices. Access tokens are revoked or invalidated if they are compromised, lost, or are no longer needed to mitigate the risks associated with stolen or misused tokens. API tokens have the potential to be replicated or stolen (just like a password). Because of this, it is important to only allow API tokens to authenticate from known IP ranges as this limits an adversary's ability to use a token to gain access.

Fix

From the Admin Console: 1. Select the "Security" menu, and then click the "API" item. 2. Click the "Tokens" tab. 3. For each token listed, click the token name link. 4. In the "Security" section, click "Edit". 5. Set the "Token can be used from" setting to the known network zone for the application calling the API. 6. Click "Save".