FAS ID Onboarding

The primary point of contact for FAS ID onboarding within GSA is fasidadmins@gsa.gov. Please refer to the contacts below as needed.

Note: Please contact fasidadmins@gsa.gov if you are having any difficulties accessing the documents referenced on the FAS ID Onboarding page.

In 2021, GSA CIO Order 2183.1 Enterprise Identity, Credential and Access Management Policy was issued, which consolidated existing GSA ICAM Policies and delegated assignments for governance responsibilities. This policy requires that all new or modernizing applications have their Authentication & Authorization solutions reviewed and approved by the ICAM Shared Services Portfolio. ICAM is working on formally integrating this process into various existing operational structures (e.g. IT Standards submissions). The scope for new or modernizing applications includes:

• Authentication for GSA users / federal partners / vendors / consumers
• New solutions for identity or access governance

At this time we request that any new or modernizing application team complete the ingest form for review. Upon internal review of the form submission, we will reach out to set up a meeting with the application stakeholders and team. The ingest form can be found at the following link:

ICAM Ingest Form

A CCB request is required to deploy your application into the production environment. Please submit your requests to the FAS ID Okta CCB at least 2 weeks prior to your planned Production deployment date to allow the Okta admins enough time to review your submission package.

1. Review FAS ID Guard Rails
2. Submit your CCB request
1. CCB Request Form: FAS Okta Change Control Board Request Form
2. CCB Schedule: Tuesdays 11:30am - 12:00pm
3. Will you be loading or migrating a large group of users that will have an impact on the Okta Rate Limits?
1. An Okta admin can create an API rate limit increase request (ticket via the Okta admin console) to load Okta users
2. This must be submitted to Okta from GSA at least 14 business days prior to Go-Live.
3. Please review API enterprise rate limits: Okta Rate Limits
3. Prior to Production Go-Live:
1. Ensure you have FAS ID Okta CCB approval
2. Ensure all application specific security documents and reviews are completed and approved
3. Ensure all application specific help desk manuals are updated
4. Ensure testing has been completed in the shared test org https://test-fas.oktapreview.com
1. Test scenarios link: Shared TEST Scenarios Sample
5. Have a deployment plan
1. Pre-deployment
2. Deployment
3. Post-deployment
4. Backout
6. Submit ServiceNow requests for Okta Admin Production accounts
7. Submit FCS JIRA Service Ticket to obtain FCS Account for Splunk Logs
8. Do you need to add your helpdesk information to the Okta Automated Email Templates? Please provide the email templates you want to edit and Help Desk information in your Configuration document

1. Dev Environment Setup
1. Email fasidadmins@gsa.gov for a new Okta development environment.
2. Test Environment Setup
1. Once you have your application running in your development environment and are comfortable with your configurations, please reach out to fasidadmins@gsa.gov to get access to the shared environment https://test-fas.oktapreview.com
3. Production Environment Set Up
1. Please submit a GSA ServiceNow request to obtain Admin access
1. Service Catalog->New Account or Access Requests->FAS Okta MFA Administrator Account
1. Routed to User’s Supervisor → FAS Okta Admin
2. FAS Okta Admin will complete the ticket and mark it “Closed”. They will inform the new user that their ticket is complete
2. Super Admin access is limited to 7 business days to allow your admins to set up your applications in Production
1. Please provide your plan to handle Administrators for your application in your Configuration Document; Super Admin will be unavailable after initial application setup/deployment: please refer to the Okta Admin types documentation located here
1. For Example: My FAS application will have 3 administrators. Each administrator will need to have Group Admin for Group Name & App Admin for App Name. We will have a separate Okta User Group that contains our application administrators called ‘FAS App Okta Admins’

1. Application settings related to Advantage can be shared out on request.
1. Okta configurations for Advantage: Advantage Okta Config

1. See link provided by the GSA Security:
1. GSA Okta Security Document
2. Okta SSP Controls provided by Security Engineering (CRM): OKTA CRM Tailoring
2. Additional requirements to adhere to:
1. Oauth flows should adhere to Authcode + PKCE.

1. Okta will only store system logs for 90 days. You will need to go to Splunk to review logs older than 90 days.
2. Okta Splunk integration is complete. You will need to ensure your SSP is updated. Account requests will need to be put in for teams. Also, per the email from FCS-ISSO, please update your SSP:
1. In accordance with GSA Security requirements and TEP Activities I am providing the team the link to the Splunk Tenant responsibility statements. Any Tenant leveraging Splunk services from FCS is required to incorporate these statements into their SSP. These statements should be communicated to all ISSO's that are leveraging Okta within their system boundaries. The respective controls that need to be updated are called out in the summary linked below.
1. Splunk CRM
3. Each developer must have an FCS Account to access Splunk, which can be requested here.
4. Each developer must submit an FCS JIRA ticket to have Splunk added to their FCS Account
5. Okta-Splunk Queries
1. Sample Splunk Queries (The FAS ID Admins can be contacted at fasidadmins@gsa.gov for access to the document.)
6. Okta integrates with GSA Enterprise logging via AWS EventBridge

1. Custom Solution is implemented for federal users in Advantage and eBuy
2. Will be added as standard capability to Okta OIE in FY2024