Okta ASA (Advanced Server Access) is an identity management software that provides single sign-on and a lot of detailed access control in order to improve security. There has been interest in making ThinLinc work with Okta to improve security.
Okta has existing support for improving security with SSH. It uses certificates to get rid of TOFU, and it also uses short-lived certificates that are fetched for each connection to make sure authentication and access control is fresh.
Unfortunately, this is handled in a magical way, so it doesn't work directly with ThinLinc. Users should either configure a ProxyCommand, or execute ssh via a wrapper.
Also note that Okta also has an OTP solution that can be integrated with SSH using RADIUS. In that case, it is the double authentication (bug 2545) in ThinLinc that is in the way.
Okta supports both SAML and OIDC, so bug 8247 might be a way to resolve this for Web Access at least.