This article summarizes the key concepts that underpin how ZeroTek and Okta work together. It is useful background for anyone new to the platform.
The basic model
In ZeroTek, each customer has its own Okta organization. You select the customer's org when you want to manage their users, groups, and applications. Actions you perform in ZeroTek execute immediately in Okta — ZeroTek is not a separate layer that syncs periodically; it is deeply integrated with Okta in real time. This means ZeroTek functions as a true single pane of glass: one place to manage all your customers' Okta environments without switching between consoles.
Common tasks and troubleshooting
You can perform common Okta tasks — like password or token resets, application assignments, and user creation — directly from ZeroTek. Audit logs supplement data pulled from Okta system logs to support efficient investigation and resolution of user issues.
Groups and policies
Okta policies, which govern things like authenticator enrollment, session settings, and authentication requirements, are driven by group membership. Understanding and using Okta groups effectively is essential to running efficient, consistent operations across your customers.
Understanding and leveraging Okta groups is essential
Okta policies (which govern things like enrollment and authentication) and provisioning are driven off of group membership. Understanding and leveraging Okta groups effectively is essential to streamlining your operations.
Okta Lifecycle Management (LCM) and group-based licensing
Okta Lifecycle Management (LCM) makes it easy to automate user provisioning and deprovisioning for 800+ apps, primarily through Okta groups and group rules. LCM also supports group-based licensing: for Okta-integrated cloud apps that support this capability, adding a user to a group automatically assigns them the relevant license. Removing them from the group removes the license.
Example: You configure a group rule so that any user with Department = "Marketing" is automatically assigned to a "Users – Marketing" group. Policies for that group then automatically:
Assign a license and SSO access to apps the marketing team uses — Salesforce, Zoom, Canva — without manually creating accounts and credentials for each.
Require FIDO2 WebAuthn (biometrics) for all logins outside the customer's office IP range, enforced through a global session policy and network zones.
User mastery
User mastery refers to which system is designated as the authoritative source of user identity data — the "single source of truth." The main options are:
Okta-mastered — Users are created in Okta (or in ZeroTek, then pushed to Okta) and pushed to other systems
On-premises AD-mastered — Users are created in on-premises Active Directory, then imported into Okta
M365-mastered — Users are created in Microsoft 365 and imported into Okta
HR-as-a-master — Users are created in an HR system (Workday, UltiPro, Bamboo HR) and imported into Okta
Learn about the benefits and trade-offs of each approach in user mastery.
BEST PRACTICE
ZeroTek strongly recommends Okta-mastered deployments for all customers. The biggest payoff for MSPs comes from making ZeroTek your single pane of glass and Okta your single source of truth for user identity — enabling you to deliver a standardized, high-quality IT experience across all customers, more efficiently. In rare cases a customer may require a different user mastery strategy; see user mastery or reach out to ZeroTek Support (support@zerotek.com) for guidance.