Okta (OKTA) Q4 2023 Earnings Call Transcript, Okta (OKTA) Q3 2023 Earnings Call Transcript, Okta (OKTA) Q2 2023 Earnings Call Transcript, Okta (OKTA) Q1 2023 Earnings Call Transcript, Okta (OKTA) Q4 2022 Earnings Call Transcript, Cumulative Growth of a $10,000 Investment in Stock Advisor, Join Over Half a 1 Million Premium Members And Get More In-Depth Stock Guidance and Research, Copyright, Trademark and Patent Information. So, the first question goes to Rob Owens at Piper. Hi, I'm creating a design for authentication between a bunch of backend services. Enable your IT and security admins to dictate strong password and user authentication policies to safeguard your customers data. Our dollar-based net retention rate for the trailing 12-month period remains strong at 117%. So, I think -- I don't know the specifics, but it's just a pretty different world, and I think that's why we're pretty unique to have such scaled businesses in both. Next question goes to Josh Tilton at Wolfe Research. Adam Borg -- Stifel Financial Corp. -- Analyst. The NRR is in decline. This article is a transcript of this conference call produced for The Motley Fool. A reconciliation between GAAP and non-GAAP financial measures and a discussion of the limitations of using non-GAAP measures versus their closest GAAP equivalents is available in our earnings release. Note: You can also use the /oauth2/v1/clients endpoint to create your service app using the API. By far, the biggest Customer Identity vendor, it's a pretty -- it's important to bring both to customers, but one of the reasons why it's so valuable from a company perspective from -- to be that vendor is because you have to really build two muscles to do it successfully, which is what we've done. So, that's how I would think about net retention going forward. daily authentications on the Okta Identity Cloud. I didn't think that -- I thought people, once they had something installed, they wouldn't replace particularly the on-premise product with more of the modern new product that we have. It's consistent across that, which is also a reason why when you think about market dynamics or pricing or competitive, the two businesses have very different competitive sets. Before you continue with installation, see Prerequisites for Azure AD Connect. Thank you. Invest better with The Motley Fool. Start building with powerful and extensible out-of-the-box features, plus thousands of integrations and customizations. The program will recognize and reward partners for the full spectrum of value they can deliver to our customers at Okta. I guess on the cRPO guide, if I'm thinking about the impact from Auth0 integration last year, can you just give us some parameters on how large that is? It can offer users convenience, consistency, and a high level of security. token that is sent with each request you make. And we're confident that we are positioning the company for many years of profitable growth. Has there been more replacements compared to last quarter in terms of the mix, how that's trending? Streamlining operations and accelerating business technology are critical to establishing Okta as a primary cloud. And now, I'd like to turn the meeting over to Todd McKinnon. No matter what industry, use case, or level of support you need, weve got you covered. Dave? So, I think, how do you unlock that? Indeed, the world's most visited job site started as a self-service customer and has since leveraged Okta Customer Identity Cloud to power authentication for its corporate customers. Consistent with prior quarters, gross retention rates remained very healthy in the mid-90% range. Then we can use Graph SDK to call Ms graph api to query the information. Or is it just too hard to call at this point? Most Okta API endpoints require that you include an API token with your request. https://platform.cloud.coveo.com/rest/search, https://support.okta.com/help/s/global-search/%40uri, https://support.okta.com/help/services/apexrest/PublicSearchToken?site=help, JIRA Service Management - OAuth - service_account, https://oauth.workflows.oktapreview.com/oauth/httpfunctions/cb, https://oauth.workflows.okta.com/oauth/httpfunctions/cb. And then also, we achieved FedRAMP High recently, and these are all huge tailwinds to that important business for us. Right. e.g, I have services A, B, C, all of them require an access token from Okta. Yeah. We're -- we hear that narrative as well. Select Enable pass-through authentication. So, in terms of net retention rate, the decline quarter-over-quarter from 120 to 117, like we spoke about previously, we did expect the number to decline, and they were for two reasons. Okta Identity Engine began shipping with every new Workforce customer in early 2022. When you synchronize users, use an Azure AD Connect server if your organization needs any of the following technologies: Device synchronization: Hybrid Azure AD join or Hello for Business. You've likely chosen another attribute to determine ImmutableID values. Once logged in, the system will remember the user for the rest of the session by using cookies. Rudy Kessinger -- D.A. That could change next year or '26, but for this year, the big upsell opportunities are selling the other cloud. Thanks, guys. It allows you to rely on a lean cloud service that integrates with your existing corporate identity provider to benefit from its . Header Name: a custom name to be passed to the service. Empower agile workforces and high-performing IT teams with Workforce Identity Cloud. The authentication takes place with a physical inspection using advanced technical equipment in eBay's dedicated and new state-of-the-art New Jersey facility. And it does slow some things down, but the projects are still moving. When a user attempts to access a web application that requires authorization, they are initially redirected to the CAS server for authorization. Current RPO, which represents subscription backlog we expect to recognize as revenue over the next 12 months, grew 20% to $1.70 billion. Got it. Looking at operating expenses. Thank you. Yeah. Your system will require both authentication and authorization. It varies from year to year, but it's been a mix between the two. It's the state and local as well. To test an individual value, use these commands: Before you move to Azure AD Connect, it's critical to validate that the ImmutableID values in Azure AD match their on-premises values. We expect that the next wave of customers will be much broader, and it will also be customers that maybe weren't as hand-selected. I was going to say it's really an important vertical for us. It hasn't been like 90-10, one or the other, right? And when you look at the people we're talking to, it's not -- there's not a lot of people in the world that have experience taking a company from 2 billion in ARR to 10 billion-plus, which is where we want to go over the next several years. Start building with powerful and extensible out-of-the-box features, plus thousands of integrations and customizations. See, Custom installation of Azure Active Directory Connect. During the first quarter, we opportunistically repurchased $366 million of our 2025 convertible debt notes, resulting in a $31 million GAAP-only gain. And we now believe that dilution for FY '24 will be back within our historical range. So, when we look at our own business, one of our huge -- we have AI in our products, and we have for a few years, whether it's ThreatInsight on the workforce side or Security Center on the customer identity side, which look at our billions of authentications and use AI to make sure we defend other customers from like similar types of threats that have been prosecuted against various customers on the platform. So, that is kind of a high level how we're looking at the business and color some of our outlook. By connecting your Okta organization to Citrix Cloud, you can provide a common sign-in experience for your subscribers to access resources in Citrix Workspace. CAS refers to a software package that also uses the CAS protocol. OK. Next, we'll go to Fred Havemeyer at Macquarie. This new solution builds on top of the tried and proven SAP Single Sign-On product and offers single sign-on in a cloud-oriented way. See how to use Azure AD Connect server or Azure AD cloud provisioning. And we've seen some good execution in the quarter. So, that's another positive trend on our business, I think. But wondering if you could talk about what you're seeing through the first month of May or the first month of 2Q that's really changed. The new customer count is a little lower than we would have expected. Once the user is authenticated through the CAS server, a service ticket is attached to the URL. Run okta login and open the resulting URL in your browser. Click Generate new key and the public and private keys appear in JWK format. And some of the selling issues and how that's reflected in cRPO growth this year. Just one clarifying question and then one quick follow-up. We are raising our outlook for non-GAAP operating income by $25 million to $161 million to $170 million, which yields a non-GAAP operating margin of approximately 7% to 8%. This is your only opportunity to save the private key. From the desktop, run the installation wizard from the desktop. Use API Connector function cards to make authenticated basic, OAuth 2, or custom connections to third-party services. Yeah. Overview Use API Connector function cards to make authenticated basic, OAuth 2, or custom connections to third-party services. The macro is a little bit of a different story. The scope is granted if the scope exists in the service app's grants collection. Thanks for taking my question. If you remember last time, I talked about macro worsening, and we basically spent most of this call talking about macro worsening. For more information on the inner workings of the CAS protocol and how to implement it, check here. The government is -- and it's not just federal, by the way. For example, a service may require api_key as the header name and the key itself as the value. I'll take a shot at it from a big-picture perspective, and then Brett can probably add some details on the guidance. The JSON Web Key Generator tool extracts the public key from the key pair automatically. We made a number of significant product advancements for our Workforce Identity Cloud in Q1. It can also be used to access unauthenticated endpoints. Innovate without compromise with Customer Identity Cloud. In the authentication window, enter Global Administrator credentials. From professional services to documentation, all via the latest industry blogs, we've got you covered. Stiff competition, there's kind of this platform consolidation narrative across security broadly. I would just also add to that -- that I would say that we remain committed to this profitable growth concept, right? OK. Got it. If they're deleted, ensure the ImmutableID values match and the user is in a selected OU for synchronization. It's also upsells -- sorry, cross-sells within Workforce. This new feature leverages Okta to authenticate a meeting attendee's identity to determine if a meeting guest is who they say they are. Easily add a second factor and enforce strong passwords to protect your users against account takeovers. Click Save. For example, https://example.com/oauth2/v1/authorize. I think we're obviously being prudent with the environment. The -- I think the opportunity is huge. The Motley Fool has a disclosure policy. It's super integrated with access management. Azure AD cloud provisioning is the most familiar migration path for Okta customers who use Universal Sync or User Sync. We continue to see great cross-selling between Workforce Identity Cloud and Customer Identity Cloud. The CAS protocol has many benefits for use, which include the following: The CAS protocol can take a little extra time to set up initially, but it can provide an end-user experience that has less friction. But it looks like you have yourself kind of reaccelerating a bit into the next quarter and actually even more in the second half of this year. I know we're a little bit past the top of the hour, but we'll go into overtime a little bit more here, try to get to a few more questions. We think with a great product like Okta Identity Governance, we can make it much, much larger. And that was -- we did that in Q2 of last year, kind of announced it, revealed it to the world in November, so into Q4. We talked a little bit about the macro headwinds we're seeing to an increasing degree. And I think it's one of these things that is getting a lot of hype and is probably still underhyped. So, can you provide some more color there? Yeah. Building on this, we recently rolled out self-service OIE upgrades so customers can automate their upgrade. Another surprising thing is we thought it would be more, hey, greenfield, you don't have any IGA solution. Username: the username for the third-party application. We're seeing increased macro headwinds on our business, most notably with new business across SMB and enterprise. There are also many different client libraries available that can authenticate using CAS. Yeah. And we do expect that to continue throughout the balance of FY '24. Forward-looking statements represent our management's beliefs and assumptions only as of the date made. ET. You will need both to authenticate, which generates an authentication It's a very -- it's a modern IGA. Is it still assuming you're going to see similar impacts on both product lines? The surprising thing is that it's being installed next to legacy deployments. There's important Workforce customers that want us to -- are going through strategic transformations and want to make sure that we're going to be there to support them for massive rollouts and huge investment in Okta. I mean, annual revenue is inching up a point here, 17%, 18% but cRPO going the other way. Talked about a growing partnership with [Inaudible]. Immediately upon expiring an API key, any requests that use a token generated using the key are prevented from succeeding. This includes the cash outlay of approximately $14 million related to the organizational restructuring. Gabriela Borges -- Goldman Sachs -- Analyst. So, we're seeing it in both sides of the business. So, we're seeing that component, but then we're also seeing, if you look at contract durations, seeing how they're a little bit shorter than normal. It's something we invested a lot in, and we're very excited about the potential for that to achieve and even overachieve its targets. Organizations are recognizing the value and the convergence of IGA, PAM, and access management. I would just add to that in the sense that if you remember last time we spoke for FY '23, federal specifically was the fastest-growing segment we had across the company, and that's a direct result of the focus we put on in FY '23. But there's going to be thousands of these types of applications, and they all need identity, and we're here to serve as that supplier to them. The POST example request below creates a grant for the okta.users.read scope. Login credentials are only used once for multiple applications for authentication without revealing the secure password. Click on the Scopes tab, then the Add Scope button. The following example is the default of converting the objectGUID . Q1 free cash flow was a record $124 million, yielding a free cash flow margin of 24%. That's an identity problem, and we can help with that. Hey. Multiple scopes are often space or comma separated, but this can depend on the service. You need to be a Fabric admin to see the tenant settings page. Well, the seat expansions are really our customers' employees, right? Total headcount at the end of Q1 was approximately 5,700. So, there's been a lot of talk about better cross-sell and upsell within your base versus new logos. Obviously, it's a fluid macro environment, and so we don't want to get too far out in front of ourselves at this point. Yeah. When registering a new app, you usually register basic information such as the application name and website URL. It's not the major part of it, but that does also weigh on the growth as we go through this year. All rights reserved. Advanced Server Access API, you will need to create an The API Connector cards support three types of authentication out of the box: Basic, OAuth, and Custom Header. }', "https://${yourOktaDomain}/oauth2/v1/token", 'https://${yourOktaDomain}/oauth2/v1/token', 'Content-Type: application/x-www-form-urlencoded', 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer', 'client_assertion=eyJhbGciOiJSU.tHQ6ggOnrG-ZFRSkZc8Pw', "Authorization: Bearer eyJraWQiOiJEa1lUbmhTdkd5OEJkbk9yMVdYTENhbVFRTUZiNTlYbHdBWVR2bVg5ekxNIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmRNcmJJc1paTWtMR0FyN1gwRVNKdmdsX19JOFF4N0pwQlhrVjV6ZGt5bk0iLCJpc3MiOiJodHRwczovL2xvZ2luLndyaXRlc2hhcnBlci5jb20iLCJhdWQiOiJodHRwczovL2dlbmVyaWNvaWRjLm9rdGFwcmV2aWV3LmNvbSIsInN1YiI6IjBvYXI5NXp0OXpJcFl1ejZBMGg3IiwiaWF0IjoxNTg4MTg1NDU3LCJleHAiOjE1ODgxODkwNTcsImNpZCI6IjBvYXI5NXp0OXpJcFl1ejZBMGg3Iiwic2NwIjpbIm9rdGEudXNlcnMubWFuYWdlIl19.TrrStbXUFtuH5TemMISgozR1xjT3rVaLHF8hqnwbe9gmFffVrLovY-JLl63G8vZVnyudvZ_fWkOBUxip1hcGm80KvrSgpdOp9Nazz-mjkP6T6JwslRFHDe8SC_4h2LG9zi5PV9y3hAayBK51q1HIwgAxl_2F7q4l0jLKDFsWjQS8epNaB05NLI12BDvO-C-7ZGGJ4EQfGS9EjN9lS-vWnt_V3ojTL0BJCKgL5Y0c9D2VkSqVN4j-7BSRZt0Un3MAEgznXmk2ecg3y7s9linGR0mC3QqKeyDfFNdsUJG6ac0h2CFFZQizpQu1DFmI_ADKmzxVQGPICuslgJFFoIF4ZA". We all need hundreds of customers versus 18,000-plus customers, right? Background If a pre-built connector isn't available, use API Connector cards to make a request to a third-party service and parse the response in your flow. They can see what 18,000-plus other customers have done and then apply that quickly to their own configuration, decreasing the errors, increasing the speed to value. One of the bright spots in that was the cross-selling of CIC into other types of customers. The CAS protocol is open-source and publicly available. This is Billy Fitzsimmons on for Sterling Auty. I think -- but the big changes we made last year with that clarifying of the Workforce Identity Cloud and the Customer Identity Cloud positioning and some of the changes we talked through at that time. Hey. When you request an access token for multiple scopes, the format for the scope value looks like this: scope=okta.users.read okta.apps.read, client_assertion_type: Specifies the type of assertion, in this case a JWT token: urn:ietf:params:oauth:client-assertion-type:jwt-bearer. Confirm the provisioning connector updated in-place objects. All rights reserved. Let's go to Sterling Auty at MoffettNathanson. I do think that the flip will be true. This self-service option will help accelerate the pace of upgrades, paving the way for even more customers to reap the benefits and power of OIE. Click Done. We're trying to be more efficient. Effortlessly integrate with enterprise directories or identity providers. For the key format, use either the default of JWT or switch to PEM, and then click Generate JWT. We'll also be participating in several bus tours this June, and we hope to see you at one of those events. We don't -- you might want to -- one of the ideas we had is it would be impacting one more than the other and we don't see that. Given the current macro environment, customers are not expanding seats at the rate they have in recent years, and we believe this trend will persist in this environment. But the thing that I want to make sure everybody is very clear on is that the gross retention rate has remained stable in that mid-90% range. But, yeah, they're digging in, and they're -- a lot of these customers are -- they were familiar with the road map, and so, they kind of -- they've really kind of honed their evaluation to be really on the sweet side of the product, which is dynamic environments that use a lot of containers, use a lot of cloud instances, want to control those types of environments with the same types of access management primitives like passwordless, like anti-phishing, access management capabilities that the core Okta platform provides. So, it's off to a very good start. OAuth: OAuth 2.0 is a protocol that allows you to grant limited access to resources on a third-party site without having to expose your credentials. It can also be easier to maintain over time, as there is a centralized server to deal with in one system instead of managing authentication processes within each individual web application. Okta is the best positioned company to deliver this to the market and expand on our leadership position, all while delivering profitable growth over the long term. The AWS Marketplace has been pretty successful for us. Before turning to expense items and profitability, I'll point out that I'll be discussing non-GAAP results going forward. In this example, Okta stamped the mail attribute to the user's account, although the on-premises value wasn't accurate. We now expect revenue of $2.175 billion to $2.185 billion, representing growth of 17% to 18%. And that's because if a customer has Okta, that means that they're more likely to use a choice of cloud providers versus being locked into one. For example, you can set specific user IDs to have administrator privileges that will allow them to read and write within specific files. And I think that's created a lot of momentum for us as we're going to move through this year. You're going to need to log on to these experiences. Since the API Connector cards can be used with multiple connections, enter a detailed name to distinguish each connection. We're extending the same great secure access management as well as identity governance capabilities to privileged resources. I mean, obviously, it creates a headwind for us, both on revenue and cRPO because we didn't execute as well as we want. If multiple attributes are being deleted, you can populate on-premises AD values before you remove the staging mode. Never stop innovating is a core Okta value, and we continue to make important advancements on that front. Great. Information on factors that could affect our financial results is included in our filings with the SEC from time to time, including the section titled Risk Factors in our previously filed Form 10-K. 10 stocks we like better thanOktaWhen our analyst team hasa stock tip, it can pay to listen. You do not have to embed authentication protocols one at a time. Similar to years past, Q2 is expected to be the seasonal low for cash flow, and we are applying a static 26% non-GAAP effective tax rate for the fiscal year. Over the next decade, identity will become increasingly important, and we firmly believe that the winner will be independent-neutral and will deliver a unified platform covering both customer identity and workforce identity across access management, governance, and privileged access. You'll need to create each app on Okta if you didn't run. And it's interesting that all these trends we track are impacting both the same, which also gives us confidence that it's macro-related. So, in a sense, we're really going to be selling picks and shovels to the gold miners. Install-Module AzureAD in an administrative session before you run the following commands: If you have the module, a warning might appear to update to the latest version. If you are using Postman to test, select the, On the right, paste the access token into the. I see that there are quite a few hands raised already, and I'll take them in the order. Usemulti-factor authenticationto provide a higher level of assurance even if a users password has been compromised. For testing purposes, copy the Public Key that is provided. To wrap things up, we've taken action to drive efficiencies in our cost structure while investing to fuel our future growth. That's the big new product suite. Yeah. Note: Use the Admin Console to generate a JWK public/private key pair for testing purposes only.