07 - Configure SSO & Provisioning Flashcards
Demo 1: Okta Integration Network/Applications Demonstrate knowledge of the OIN and how to leverage Okta out-of-the-box app integrations
Applications
Demo 1A: Okta Integration Network/Applications Demonstrate knowledge of the OIN and how to leverage Okta out-of-the-box app integrations
Okta Integration Network/Applications
Demo 1B: Okta Essentials Module 5: Configure SSO and Provisioning Demonstrate knowledge of the OIN and how to leverage Okta out-of-the-box app integrations
Okta Essentials Module 5: Configure SSO and Provisioning
Demo 2: The Applications Page Demonstrate knowledge of how to search for pre-built integrations and identify the app capabilities
The Applications Page
Demo 2A: Okta Essentials Module 5: Configure SSO and Provisioning Demonstrate knowledge of how to search for pre-built integrations and identify the app capabilities
Okta Essentials Module 5: Configure SSO and Provisioning
What does configuring application in Okta enables you to do?
Configuring applications within Okta enables you to provide additional security layers on sensitive corporate data, while also providing insight to application and data usage by people at your company.
Okta supports integration with various SSO options. What does that include?
Delegated authentication Proprietary vendor specific protocols.
SSO integration allows for:
Provide access to applications for all users Configure app access adhering to company policies. Create and maintain a single source of truth for your users, enabling new authN and provisioning scenarios.
What are the OIN stats:
6500 built-in and community generated apps 1300 enabled with SAML to provide secured enterprise-level SSO 150 are mobile ready to remote workforce. 230 are provisioning enabled so you can automate the process of account
What is AIW?
In-product wizard called the Application Integration Wizard (AIW) that allow you to build your own SWA, SAML SSO, or SCIM provisioning integrations.
What is Okta in place?
Okta authenticates users and then SSO to all assigned applications with communications into Okta occurring over HTTPS. If a user opens an application without first authenticating to Okta, the application automatically redirects to Okta for authentication.
What is AIW?
In-product wizard called the Application Integration Wizard (AIW) that allow you to build your own SWA, SAML SSO, or SCIM provisioning integrations.
What is the problem with SAML and WS-Fed
The problem is they’re not very lightweight and not very easy to work with. They do not work with modern applications natively.
What is the advantage with OIDC?
One of the things you see is that OpenID connect is based on OAuth. So, we’re going to be able to achieve a single process for not only providing access to our apps, but we’re going to then also use the same request for secure access to our APIs. OpenID Connect has all these benefits.
What is SWA
Secured Web Authentication. Okta’s pw manager feature.
How does SWA work?
What this does is when a user navigates to a site, we detect the URL and insert a username and password into that form.
What is the drawback with SWA?
a. The drawback to SWA is that it requires a browser plug-in and so in a customer identity and access management situation, you wouldn’t be asking your customers to install a plug-in for secure access to your apps or sites. b. Also, it’s not Federated. So, even though it’s automated, you still have to think about password issues for those endpoints. The key benefit is that it doesn’t require any development. So, you just need that login form, but there’s a lot of drawbacks to working with SWA.
What is the Signon Methods for SWA?
a. AuthN request b. Access request granted c. App access request through the Okta app d. UX: When users click an application icon, Okta securely posts their credentials to the application login page over SSL and the user is automatically authenticated
- Considerations of SWA
a. SWA was created for applications that do not support federated SSO b. For SWA applications, the Okta Browser Plugin is required. c. Okta stores the user credentials in an encrypted format using AES encryption combined with a customer-specific private key.
- SWA sign-in options.
a. User sets username and password b. Administrator sets username, user sets password c. Administrator sets username, password is the same as user’s Okta password d. Users share a single username and password set by administrator
- What is Authentication vs. Federation?
a. AuthN is the process of proving the identity of a person or system. b. Federation is the process by which an app or site requests proof of authN from a trusted source. c. Basically, it answers the question, “Who are you, and how do you prove it?” So, typically this requires a user entering their username and password and perhaps some sort of MFA. Secure authentication these days often involves multi-factor authentication. You’re starting to see it more with many sites adopting it, but other sites still use just a username and password. d. Now, when we talk about Federation, what we’re talking about is we have this app and we need to create a trust relationship between that app and Okta (IdP) essentially so that when a user goes to access that application, we are not going to require that they authenticate again. Instead, we’re going to request proof that they have already successfully authenticated and then provide, in an automated fashion, access. One of the key ways to think about the difference is that users are authenticated and apps are Federated.
Signon Methods: SAML.
a. Standards-based i. Ensures interoperabilty across IdPs ii. Enterprises free to select a vendor b. For the most secure authentication, it’s recommended to use a standard-based protocol such as SAML. i. It eliminates the need for pw by using digital signature for authN. c. For Security: i. use SSO protocol. ii. It is used globally. iii. Based on digital signature for authN and integrity. d. IT friendly: i. Centralized authN, ii. Provides greater visibility, iii. Makes directory integration easier. e. Usability: i. One-click access from portals or intranet. ii. Deep linking, iii. password elimination, iv. automatic renewal of sessions.
What are the 3 roles of SAML
a. IdP: the entity that actually authenticates the user; in this case, Okta. (assert) b. Service Provider (SP): the application or website the user is trying to access. (Provide) c.End User: the end-user trying to authenticate to the service. (authN)
IdP initiated SAML
a. AuthN to Org b. Access request granted c. SAML response forwarded d. AuthN and SAML response creation
