CLOUD & IDENTITY · Okta

Make Okta SSO, provisioning, and lifecycle posture declarable, signed, and independently verifiable.

A proof surface for governing Okta as the identity provider: signed-JWT verification, machine-readable SSO and SCIM provisioning posture, lifecycle events as append-only evidence, and read-only directory access by default.

2 / 5 controls live
Okta SSO SCIM provisioning lifecycle audit
The controls

5 controls. 2 live, 3 mapped — stated honestly.

Every claim points to a real artifact you can open. Where a control is specced but not yet shipped, it says so — no surface here pretends to be further along than it is.

Kinetic Gain verifies Okta-issued JWTs and propagates identity from the host — never mints a session.
artifact · kg-token-validator
Live
Every lifecycle event — joiner, mover, leaver — is an append-only, hash-chained audit event.
artifact · audit-stream
Live
SSO and SCIM provisioning posture is declared machine-readable — what's granted, to whom, and why.
Mapped
Read-only directory posture by default; writes need a named, audited grant.
Mapped
A buyer can curl /verify the provisioning posture against live Okta configuration.
Mapped
The differentiator

The Suite stops being marketing the moment a buyer can verify it.

Don't take our word — curl the evidence.

Governance posture is only worth what a procurement team can independently confirm. Where the validator is live, a buyer fetches the declaration and walks the hash-chained audit trail themselves — capability, classification, and control evidence, machine-readable and self-checking.

# once the validator ships for this surface
curl https://okta.kineticgain.com/.well-known/kg-verify.json | kg-validate -