Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Share your experience with the FAS IT-Playbook by taking this brief survey

FAS ID Onboarding

FAS-ID (Okta) serves as the primary Multi-Factor Authentication (MFA) option for external IQ system users. It provides a unified identity for buyers and vendors interacting with multiple FAS systems. FAS-ID (Okta) also administers identity proofing for FAS-IT customer system access. Internal users within FAS-IT should refer to the primary authentication mechanism SecureAuth. This page describes the high level process of onboarding your application to FAS ID.

Introduction & Overview

The four sections below cover each step involved in the process of onboarding an application to FAS ID. For other information on relevant FAS standards for Identity and Access Management solutions on the Playbook, visit the Identity and Access Management (IAM) page. The Security and Compliance page, including the GSA IT Resources section, may also be helpful for teams onboarding new applications to FAS ID.

The primary point of contact for FAS ID onboarding within GSA is fasidadmins@gsa.gov. Please refer to the contacts below as needed.

Note: Please contact fasidadmins@gsa.gov if you are having any difficulties accessing the documents referenced on the FAS ID Onboarding page.

Name Email Role
ICAM icam-portfolio@gsa.gov ICAM
FAS Okta CCB fasidadmins@gsa.gov GSA Admin
Julie Madan julie.madan@okta.com Okta Customer Success Manager

Return to top

In 2021, GSA CIO Order 2183.1 Enterprise Identity, Credential and Access Management Policy was issued, which consolidated existing GSA ICAM Policies and delegated assignments for governance responsibilities. This policy requires that all new or modernizing applications have their Authentication & Authorization solutions reviewed and approved by the ICAM Shared Services Portfolio. ICAM is working on formally integrating this process into various existing operational structures (e.g. IT Standards submissions). The scope for new or modernizing applications includes:

  • Authentication for GSA users / federal partners / vendors / consumers
  • New solutions for identity or access governance

At this time we request that any new or modernizing application team complete the ingest form for review. Upon internal review of the form submission, we will reach out to set up a meeting with the application stakeholders and team. The ingest form can be found at the following link:

ICAM Ingest Form

Return to top

A CCB request is required to deploy your application into the production environment. Please submit your requests to the FAS ID Okta CCB at least 2 weeks prior to your planned Production deployment date to allow the Okta admins enough time to review your submission package.

  1. Review FAS ID Guard Rails
  2. Submit your CCB request
    1. CCB Request Form: FAS Okta Change Control Board Request Form
    2. CCB Schedule: Tuesdays 11:30am - 12:00pm
    3. Will you be loading or migrating a large group of users that will have an impact on the Okta Rate Limits?
      1. An Okta admin can create an API rate limit increase request (ticket via the Okta admin console) to load Okta users
      2. This must be submitted to Okta from GSA at least 14 business days prior to Go-Live.
      3. Please review API enterprise rate limits: Okta Rate Limits
  3. Prior to Production Go-Live:
    1. Ensure you have FAS ID Okta CCB approval
    2. Ensure all application specific security documents and reviews are completed and approved
    3. Ensure all application specific help desk manuals are updated
    4. Ensure testing has been completed in the shared test org https://test-fas.oktapreview.com
      1. Test scenarios link: Shared TEST Scenarios Sample
    5. Have a deployment plan
      1. Pre-deployment
      2. Deployment
      3. Post-deployment
      4. Backout
    6. Submit ServiceNow requests for Okta Admin Production accounts
    7. Submit FCS JIRA Service Ticket to obtain FCS Account for Splunk Logs
    8. Do you need to add your helpdesk information to the Okta Automated Email Templates? Please provide the email templates you want to edit and Help Desk information in your Configuration document
Return to top

  1. Dev Environment Setup
    1. Email fasidadmins@gsa.gov for a new Okta development environment.
  2. Test Environment Setup
    1. Once you have your application running in your development environment and are comfortable with your configurations, please reach out to fasidadmins@gsa.gov to get access to the shared environment https://test-fas.oktapreview.com
  3. Production Environment Set Up
    1. Please submit a GSA ServiceNow request to obtain Admin access
      1. Service Catalog->New Account or Access Requests->FAS Okta MFA Administrator Account
        1. Routed to User’s Supervisor → FAS Okta Admin
        2. FAS Okta Admin will complete the ticket and mark it “Closed”. They will inform the new user that their ticket is complete
      2. Super Admin access is limited to 7 business days to allow your admins to set up your applications in Production
        1. Please provide your plan to handle Administrators for your application in your Configuration Document; Super Admin will be unavailable after initial application setup/deployment: please refer to the Okta Admin types documentation located here
          1. For Example: My FAS application will have 3 administrators. Each administrator will need to have Group Admin for Group Name & App Admin for App Name. We will have a separate Okta User Group that contains our application administrators called ‘FAS App Okta Admins’
Return to top

Helpful References

These sections provide helpful information on a variety of topics to hep understand how FAS ID functions, including the security controls, how FCS collects logs and makes them available, and some important lessons learned from the implementation of FAS ID on GSA Advantage.

  1. Application settings related to Advantage can be shared out on request.
    1. Okta configurations for Advantage: Advantage Okta Config
Return to top

  1. See link provided by the GSA Security:
    1. GSA Okta Security Document
    2. Okta SSP Controls provided by Security Engineering (CRM): OKTA CRM Tailoring
  2. Additional requirements to adhere to:
    1. Oauth flows should adhere to Authcode + PKCE.
Return to top

  1. Okta will only store system logs for 90 days. You will need to go to Splunk to review logs older than 90 days.
  2. Okta Splunk integration is complete. You will need to ensure your SSP is updated. Account requests will need to be put in for teams. Also, per the email from FCS-ISSO, please update your SSP:
    1. In accordance with GSA Security requirements and TEP Activities I am providing the team the link to the Splunk Tenant responsibility statements. Any Tenant leveraging Splunk services from FCS is required to incorporate these statements into their SSP. These statements should be communicated to all ISSO's that are leveraging Okta within their system boundaries. The respective controls that need to be updated are called out in the summary linked below.
      1. Splunk CRM
  3. Each developer must have an FCS Account to access Splunk, which can be requested here.
  4. Each developer must submit an FCS JIRA ticket to have Splunk added to their FCS Account
  5. Okta-Splunk Queries
    1. Sample Splunk Queries (The FAS ID Admins can be contacted at fasidadmins@gsa.gov for access to the document.)
  6. Okta integrates with GSA Enterprise logging via AWS EventBridge
Return to top

  1. Custom Solution is implemented for federal users in Advantage and eBuy
  2. Will be added as standard capability to Okta OIE in FY2024
Return to top