Deployment Status
Awaiting Deployment…
Pipeline Execution
Ready
Checkout
Install OPA sft CLI
Configure sft
Request GitHub OIDC Token
Authenticate with OPA Workload Identity
Update dashboard via brokered SSH
Update session duration
Authentication Trust Chain
⚙️
GitHub Actions
OIDC JWT issued by platform
✓ No stored keys
OIDC JWT
🛡️
Okta Privileged Access
Validates JWT · issues token
✓ Token issued
Ephemeral Creds
🖥️
Target Server
Ephemeral cert · JIT account
✓ JIT Account
Workload Account i
OPA automatically prefixes all workload Unix/Linux account names with wl_ (e.g., wl_github_actions). This visually distinguishes JIT workload accounts from human accounts in the Okta System Log, on the target server, and in any SIEM integration.
Session Duration
Run Context i
Details from the GitHub Actions runner environment: the ephemeral Ubuntu compute host that executed this pipeline, its public egress IP, and the exact commit that triggered the run. This is the untrusted origin — OPA never relies on this context for access decisions; trust is established entirely through the cryptographic OIDC JWT.
Workflow Run
Run ID
Triggered By
Repository
Branch
Commit
Runner Hostname
Runner Egress IP
Executed At
1GitHub OIDC Token i
The GitHub Actions runner requests a signed JWT directly from GitHub's platform OIDC endpoint — no stored credentials needed. This token cryptographically attests the job's runtime context: repository, branch, workflow, and triggering actor. OPA validates it against the Workload Connection's configured JWKS URL and required claims before issuing any access token.
Issued At (iat)
Not Before
Expires (exp)
Token

        

        

          
Header

          

        

      

      

        

          
Payload

          

        

      

    

  







  

    

      

        2OPA Access Token
        
          i
          
After validating the GitHub OIDC JWT, OPA issues a short-lived access token to the authenticated Workload Principal. The TTL is configured per Workload Connection (not a system default). This token is non-refreshable — the workload must fully re-authenticate when it expires. Pass --role-hint to sft workload authenticate to pre-select the target Workload Role.

        
      

      
    

    

      

        
Issued At (iat)

        

      

      

        
Not Before

        

      

      

        
Expires (exp)

        

      

    

    

      

        

          
Token

          

        

        

          
Header

          

        

      

      

        

          
Payload

          

        

      

    

  







  

    

      

        3SSH Connection
        
          i
          
Using the OPA access token, the sft CLI requests a brokered SSH session. OPA evaluates the security policy attached to the Workload Role and, if authorized, issues an ephemeral SSH client certificate and creates a JIT Unix account prefixed with wl_ on the target server. The account is torn down immediately when the session ends — no standing SSH keys or persistent accounts exist at any point.

        
      

    

    

      

        
Target Host

        

      

      

        
Executed At

        

      

    

    

      
Command Executed

      

    

  







  

    

      

        4OPA Audit Event
        
          i
          
Every workload authentication and SSH session generates structured events in the Okta System Log — no custom instrumentation required. pam.user_creds.issue records the token issuance (actor type: WorkloadPrincipal). pam.server.ssh_login records SSH session establishment (actor: the wl_ account). Both events are pulled live from the Okta System Log API and displayed here.

        
      

    


    

      pam.user_creds.issue
      
    

    
Cryptographic proof of the access event — pulled live from Okta System Log


    

      Published
      Severity INFO
      
    


    


      
Actor


      

        
type

        

      

      

        
id

        

      


      
Access Details


      

        
client

        

      

      

        
connection

        

      

      

        
serverHostnames

        

      

      

        
clientIp

        

      

      

    


    
    

      

        pam.server.ssh_login
        
      

      
SSH session establishment — pulled live from Okta System Log


      

        Published
        Severity INFO
        
      


      

        
Actor

        

          
type

          

        

        

          
id

          

        


        
Session Details

        

          
target host

          

        

        

          
ssh algorithm

          

        

      

    


  










  

  

    

      
OPA Workload Identity — Architecture Overview

      
    

    


      
      

        
The Problem With Static Credentials

        

          Traditional CI/CD automation relies on static API keys or SSH keys stored in environment variables, secrets managers, or source control. This model has compounding security flaws:
        

        
    
          
  • Secret Zero — something must hold the initial credential, creating a bootstrapping problem that is never fully solved
    • 
          
  • Standing access — a long-lived key is a persistent attack surface, valid 24/7 whether or not a job is running
    • 
          
  • Rotation burden — managing, rotating, and auditing hundreds of keys across workloads is operationally expensive and error-prone
    • 
          
  • Blast radius — a leaked key grants standing access to every system it authorizes until manually revoked
    • 
        

      


      
      

        
The Solution: Federated Workload Identity

        

          OPA Workload Identity shifts the security model from "you have a secret" to "you are cryptographically who you say you are." Workloads prove their identity using signed JWTs issued by their native platform (GitHub Actions, GitLab CI, GCP, CircleCI, or any JWKS-compliant provider). OPA validates the token against a pre-configured trust relationship called a Workload Connection — no secrets are stored anywhere in the pipeline.
        

        

          No static keys. No Secret Zero. No standing privilege. Every deployment above is proof.
        

      


      
      

        
What This Dashboard Just Did

        

          

            
1

            
GitHub issued an OIDC JWT to the Actions runner. The runner called GitHub's platform OIDC endpoint ($ACTIONS_ID_TOKEN_REQUEST_URL) and received a signed JWT attesting its runtime context: repository, branch, workflow, SHA, and triggering actor. No stored credential was used. The raw token and its decoded claims are shown in Step 1 above.

          

          

            
2

            
The sft CLI exchanged the GitHub JWT for an OPA access token. The workflow called sft workload authenticate --team farley --connection github-actions-prod --role-hint github_actions --jwt-env GITHUB_OIDC_TOKEN. OPA fetched GitHub's JWKS, verified the JWT signature, validated required claims against the Workload Connection configuration, and issued a short-lived OPA access token to the authenticated Workload Principal. The token's claims are decoded and displayed in Step 2 above.

          

          

            
3

            
OPA brokered a JIT SSH session to the target server. The workflow called sft ssh --team farley --workload-role github_actions target-server-01. OPA evaluated the security policy attached to the github_actions Workload Role, issued an ephemeral SSH client certificate, and created a JIT Unix account (wl_github_actions) on the target server. The job wrote state.json under that account, then the session closed and the account was torn down. No persistent SSH key was used.

          

          

            
4

            
The dashboard fetched cryptographic proof from the Okta System Log. Two structured events were generated automatically: pam.user_creds.issue (token issuance, actor type WorkloadPrincipal) and pam.server.ssh_login (SSH session establishment, actor: wl_github_actions). Both events were pulled live via the Okta System Log API using a time-bounded query anchored to the OPA token's iat claim — no manual log search required.

          

        

      


      
      

        
Administrative Configuration (4-Phase Model)

        

          

            
Phase 1 — Connect

            
A DevOps admin creates a Workload Connection in Draft status. Specifies the connection name, token TTL, JWKS URL (e.g., https://token.actions.githubusercontent.com/.well-known/jwks), and required JWT claims that must be present for authentication to succeed.

          

          

            
Phase 2 — Governance

            
A Security admin reviews and promotes the Workload Connection to Active status. This split-duty model enforces separation of concerns — DevOps cannot self-approve trust relationships into production. Inactive connections block all new token issuance. Allow ~5 minutes after activation for OPA to refresh before testing.

          

          

            
Phase 3 — Logic

            
The Security admin creates a Workload Role linked to the Connection, optionally scoped by JWT claim filters. The Workload Role is attached to an OPA security policy — the same policy framework used for human access. This policy defines which target servers the workload can reach.

          

          

            
Phase 4 — Deploy

            
The DevOps admin injects sft workload authenticate into the CI/CD pipeline and sets OPA_ADDR. The resulting OPA access token is used for all subsequent sft ssh calls. No secrets are stored — the pipeline is self-contained and auditable from first principles.

          

        

      


      
      

        
Key Concepts

        

          

            
Workload Connection

            
The trust anchor between OPA and an external identity provider. Created in Draft by a DevOps admin; promoted to Active by a Security admin. Configured with a JWKS URL and required JWT claims. Deactivating a Connection immediately blocks all new token issuance — no individual revocation is needed.

          

          

            
Workload Role

            
Groups ephemeral workloads by shared characteristics and acts as the principal in OPA security policies. Optional JWT claim conditions scope which workloads match the role. The --role-hint flag on sft workload authenticate pre-selects the intended role at authentication time.

          

          

            
wl_ Account Prefix

            
All workload Unix/Linux accounts are auto-prefixed with wl_ (e.g., wl_github_actions). This visually distinguishes JIT workload accounts from human accounts in audit logs, on the target server, and in any SIEM integration. The account exists only for the duration of the SSH session.

          

          

            
Non-Refreshable Tokens

            
OPA access tokens issued to Workload Principals cannot be refreshed. Expiration forces full re-attestation via the platform OIDC endpoint, ensuring fresh cryptographic proof of identity for every session. This is a deliberate security constraint, not a limitation. MFA and Access Requests must not be enabled on workload policies — headless workloads cannot respond to prompts.

          

        

      


      
      

        
Zero Standing Privilege

        

          "No standing credentials" means there is nothing to steal between job runs:
        

        
    
          
  • The OIDC JWT exists only during the GitHub Actions job execution window
    • 
          
  • The OPA access token is issued per-authentication and expires at the TTL configured on the Workload Connection
    • 
          
  • The SSH certificate is ephemeral — valid only for the duration of the brokered session
    • 
          
  • The wl_ account on the target server is created at job start and destroyed at job end
    • 
          
  • Removing a Workload Role from a security policy terminates active SSH sessions immediately
    • 
          
  • MFA and Access Requests must not be enabled on workload role policies — headless workloads cannot respond to authentication prompts
    • 
        

      


      
      

        
Audit Trail

        

          Every workload authentication and SSH session generates structured events in the Okta System Log automatically — no custom instrumentation required. This dashboard pulls both events live via the System Log API, anchored to the OPA token's iat claim:
        

        

          

            
pam.user_creds.issue

            
Fired when OPA issues the short-lived access token to the Workload Principal. Contains: actor type (WorkloadPrincipal), actor ID (the JWT sub claim), Workload Connection name, team, client IP, and token TTL. This is the primary record of authentication.

          

          

            
pam.server.ssh_login

            
Fired on brokered SSH session establishment. Actor is the wl_ JIT account (e.g., wl_github_actions). Records the target server, session timestamp, and outcome. Together with pam.user_creds.issue, these two events provide a complete, tamper-evident audit trail from JWT issuance through session close.