09 - Okta Policy Network Flashcards
What is Okta’s MFA enrollment policy
Demonstrate knowledge of the policy types available in Okta and their functionalities
Use the Multifactor Policies tab to create and enforce policies for your chosen MFA factors and the groups that are subject to them. Sign-on policies determine the types of authentication challenges these users receive.
An MFA policy can be based on a variety of factors, such as location, group definitions, and authentication type. It can also specify actions to take, such as allowing access or prompting for a challenge.
Add a new policy by navigating to Factor Enrollment and clicking Add Multifactor Policy.
Change the order of policies, except the Default Policy, by dragging the bar on the blue policy name, thereby rearranging the list.
The Default Policy: The default policy applies when no other policy has been set. It also immediately reflects the factors you chose under the Factor Type tab.
Demo 1: Multifactor Authentication
Demonstrate knowledge of the policy types available in Okta and their functionalities
Multifactor Authentication
Test Multifactor Authentication
3
c. The dialog box will refresh with the final step to set up Okta Verify.
d. On your mobile device, open the app store. Search for and install Okta Verify.
e. Open the Okta Verify app.
f. On the Welcome to Okta Verify screen, tap Add Account.
g. Hold your device up to the computer screen and scan the barcode.
h. Click Done.
Demo 1: Multifactor Authentication
Demonstrate knowledge of the policy types available in Okta and their functionalities
Multifactor Authentication
Test Multifactor Authentication
- Select and answer a forgot password question.
- Select a security image.
- Click Create My Account.
- In the top bar, click Faith > Sign out.
Demo 1A: Password Policy Types
Demonstrate knowledge of the policy types available in Okta and their functionalities
Password Policy Types
Create an Application Sign on Policy
- Under Location, leave the default Anywhere selection. Notice that if you select the other options this can trigger how this policy could be applied to the zones you defined earlier.
Demo 1A: Password Policy Types
Demonstrate knowledge of the policy types available in Okta and their functionalities
Password Policy Types
Create an Application Sign on Policy
- Under Location, leave the default Anywhere selection. Notice that if you select the other options this can trigger how this policy could be applied to the zones you defined earlier.
Demo 1A: Password Policy Types
Demonstrate knowledge of the policy types available in Okta and their functionalities
Password Policy Types
Test the Application Sign on Policy
- Log out of Okta as the Administrator 2. Login in as frank.molen.
Username: frank.molen
Password: Tra!nme4321
3. Click on the Salesforce app and you will be prompted to set up an MFA Factor.
- Did you get prompted for MFA?
- Enter your factor and login into Salesforce.
- Sign out of and close the Salesforce browser tab. 7. Log out as frank.molen.
Conclusion
Now that you have created an Okta password policy and configured MFA, you are now ready to learn about attribute mappings.
Demo 1A: Password Policy Types
Demonstrate knowledge of the policy types available in Okta and their functionalities
Password Policy Types
Create an Application Sign on Policy
Enable MFA
- Under Actions, select Prompt for factor and select Every sign on.
- Click Save.
Demo 2: Okta Essentials Module 5: Implement the Okta Policy Framework
Demonstrate knowledge of when to use each policy
Okta Essentials Module 5: Implement the Okta Policy Framework
Demo 3: Security Policies
Demonstrate understanding of how policies are applied based on the policy priority order
Security Policies
Demo 4: Password Policy Types
Demonstrate understanding of the importance of the default policies in Okta
Password Policy Types
What are the steps in creating an Okta-Mastered Password Policy
- Point to Security and click Authentication.
- You will land on the Password tab. Click Add New Password Policy. 3. In the Add Policy dialog box, perform the following:
In the Policy Name field, type the following: Okta Accounts
In the Policy description field, type the following: Okta-mastered user
password policy
IntheAddgroupfield,typeandselectthefollowing:Salesand
Marketing
Under Authentication Providers, in the Applies to list, verify that
Okta is selected.
What are the 4 types of Okta Policies
About app sign-on policies
About MFA enrollment policies
About Okta sign-on policies
About password policies
What is Okta’s App Sign-on policy
App sign-on policies allow or restrict access to applications. By default, all Client options in the App Sign On Rule dialog box are pre-selected. To configure more granular access to the app, selectively apply conditions as you create one or more prioritized rules based on:
Who users are and/or the groups to which they belong
Whether they are on or off network or within a defined network zone
The type of client running on their device (Office 365 apps only)
The platform of their mobile or desktop device
Whether or not their devices are Trusted
Important to know about the User-Agent
Okta’s Client Access Policies (CAPs) allow you to manage access to your enterprise apps based on the client type and device platform. Okta CAPs evaluate information included in the User-Agent request header sent from the users’ browser. Because the User-Agent can be spoofed by a malicious actor, you should consider using a whitelist approach when you create CAPs and require MFA or Device Trust as described in the following best practices:
Implement a whitelist consisting of one or more rules that specify the client type(s) + device platform(s) + trust posture combinations that will be allowed to access the app.
Require Device Trust or MFA for app access.
Include a final catch-all rule that denies access to anything that does not match any of the CAPs preceding rules.
MFA and legacy protocols
While you can configure your App Sign-On Policies to prompt end users for MFA, be aware that legacy protocols such as POP or IMAP do not support MFA even if MFA is configured for Okta sign-in.
To ensure that authentication to apps remains secure, Okta strongly recommends that you evaluate the following:
The use of legacy protocols with Microsoft Office 365 applications and whether to disable them if necessary
Whether to enable Modern Authentication on Microsoft Office 365 tenants for improved security
What is Okta’s Sign on Policy
Okta sign-on policies can specify actions to take, such as allowing access, prompting for a challenge, and setting the time before prompting for another challenge. You can specify the order in which policies are executed and add any number of policies. If a policy in the list does not apply to the user trying to sign in, the system moves to the next policy.
You can specify any number of policies and the order in which they are executed. There is one required policy named Default. By definition, the default policy applies to all users.
In addition to the default policy, which you cannot delete, there is another policy named Legacy that is present only if you have already configured MFA. This policy reflects the MFA settings that were in place when you enabled your sign-on policy, and ensures that no changes in MFA behavior occur unless you modify your policy. If needed, you can delete it.
When a policy is evaluated, the conditions in the policy are combined with the conditions in the associated rules. Rules are applied when all these conditions are met.
Note: A policy with no rules cannot be applied.
Policies can contain multiple rules, and the order of the rules determines their behavior.
What is Okta’s Password Policy
Password policies enables admins to define password policies and associated rules that enforce password settings at the group and authentication-provider level. Okta provides a default policy to enforce the use of strong passwords to better protect your organization’s assets. Admins can also create additional policies that are less or more restrictive and apply them to users based on group membership.
Group Password Policy is now enabled for all orgs:
The Password tab on the Authentication page displays all group password policies. Initially, only the Default Policy and the Default Rule appear.
If Group Password Policy was previously not enabled, the Password tab now displays the Legacy Policy and the new Default Policy. The Legacy Policy reflects the org settings present when Group Password Policy was enabled and includes the Legacy Rule and the additional Default Rule.
What is Okta’s Group Password Policy
Using Group Password Policy
With group password policies, you can:
Define password policies and associated rules to enforce password settings on the group and authentication-provider level.
Create multiple policies with more or less restrictive rules and apply them to different groups.
Use policies to enforce the use of strong passwords to better protect your organization’s assets.
An error can occur during provisioning when user’s Okta password meets the password policies requirements while the password policy itself does not. Ensure that the Okta password policy meets the application’s requirements, typically, eight characters with an upper and lower case character and either a symbol or number.
What is Okta’s Policy on AD and LDAP Mastered Users
Active Directory (AD) and LDAP mastered users
Group Password Policies are enforced only for Okta and Active Directory (AD) and LDAP mastered users.
For AD and LDAP mastered users, ensure that your AD and LDAP password policies don’t conflict with Okta policies. Passwords for AD and LDAP mastered users are still managed by the directory service. For example, some applications, such as Microsoft Office 365 and Google G Suite, check an Okta password policy when provisioning a user to ensure that the Okta policy meets the application’s password requirements.
Previous Group Password Policy options are not retained after the LDAP Group Password Policy feature is disabled.
When the LDAP Group Password Policy feature is enabled, a custom password policy message cannot be used and previous password policy messages are not applied.
When LDAP delegated authentication is disabled, the LDAP Group Password Policy no longer applies to LDAP mastered users.
What is Okta’s Password Policy Evaluation
Password Policy evaluation
A password policy is evaluated using the following criteria:
Complex requirements are evaluated when the password is set.
On the current policy and when the user last set their password, unless the user’s password is already expired in which case it remains expired.
For AD and LDAP mastered users, the AD and LDAP complexity requirements should match the AD and LDAP instances.
What is Okta’s Password Policy Types
Default policy: All Okta-mastered users are subject to the Default Policy unless another policy applies. The Default Policy cannot be deactivated or deleted, and always holds the lowest ranking within the policy list.
Legacy Policy: In previous versions of the platform, password policy settings were located on the Security > General page. For orgs that were created before Group Password Policy was enabled, the Legacy policy and associated Legacy rules are preserved. Existing password policy settings for an org are copied to the Legacy Policy. All Legacy policy and rule settings are configurable.
Active Directory Policy: If you currently have one or more Active Directory (AD) integrations, an AD policy is automatically created for you. You can customize the elements of the policy and its rules.
LDAP Policy: If you currently have one or more LDAP integrations, an LDAP policy is automatically created for you. You can customize the elements of the policy and its rules
- What is the advantage of configuring security within Okta?
Configuring security within Okta enables you to provide additional security layers on sensitive corporate data, while also enabling users to access data and applications securely. The Okta Policy Framework allows admins to configure password requirements, sign-on options, mobility requirements, and a lot more. The framework allows policies to be scoped to specific groups and can be applied to individual applications.
The Okta Policy Framework allows admins to configure what?
Password requirements,
sign-on options,
mobility requirements, and a lot more.
The framework allows policies to be scoped to specific groups and can be applied to individual applications.
How are policy applied?
Policies are assigned to any group type and are applied sequentially.
For example, if you have two policies mapped to the same group, the second policy will never be executed.
All policies have associated rules that follow the same principle.
How are policies different from rules?
While the specifics of policy rules are different for each policy type, rules are always context-scoped and policies are group-scoped.
What are the different types of Policy?
Password: Define password policies and associated rules to enforce password settings at the group and authentication-provider level.
Multifactor: Use the Multifactor Policies tab to create and enforce policies for your chosen MFA factors and the groups that are subject to them.
Okta Sign-on: Sign-on policies determine the types of authentication challenges users receive.
Application Sign-on: Define application-level access parameters.
What is a network zone?
A network zone is a security perimeter used to limit or restrict access to a network based on a single IP address, one or more IP address ranges, or a list of geolocations.
Network zones are defined and maintained by admins who wish to improve and strengthen network security for their organization and users.
What is IP Zone?
Create ranges of gateway IPs and Proxy IPs.
What is dynamic Zone?
Create zones by country and region.
The following Okta features use public gateway IPs:
Desktop SSO: Prevents the SSO redirect (to the IWA site) from occurring when accessed off premises.
Multi-factor Authentication (MFA): Permits an administrator to require MFA only when the system is accessed off premises.
Application Sign On Policies: Permits denial of access to certain applications when accessed off premises.
VPN notifications: Occurs when an off-premise application access requires on-premise access through a VPN connection.
Why do we use zones?
We use zones for all different reasons. We can use zones to allow access or we can use zones to deny access. We saw zones saying hey if you were in my network –but we can also use zones for different policies.
How do you set up zones?
Security > Networks > “Add Zones”
Select IP Address or Dynamic Zones
Dynamic zones > Name -> IP Type -> Locations > Save
IP Zones > Gateway IPs > Proxy IPs
How does Okta enable you to define password policies?
As specific as you require. You can define policies based on groups and/or the authentication provider.
For example, you might have an external Sales team that are all Okta-mastered users, while your internal Sales team is all Active Directory mastered accounts. In Okta, you can create similar or unique password policies for these groups.
How do you set up Password Policies in Okta?
Security > Authentication > Password policies > “Add New PW Policy” > Okta or Active Directory > Create Rule
What are default policies?
Active Directory Policy
Default Policy
Active Directory Policy
Default Policy
What do “default policy” apply to?
Okta Mastered users.
What is the default policy for Active Directory?
“Active Directory Policy”
What are some of the password policies?
PW length complexity requirements
Restrict use of password like “password”
Password aging
Enforce password history for the pass “4” passwords
Password expiration (I.e. 90 days)
Min PW age
Prompt x days before lockout
Number of attempts to login.
Automatic unlock after x minutes.
Show lockout failures.
PW length complexity requirements
Restrict use of password like “password”
Password aging
Enforce password history for the pass “4” passwords
Password expiration (I.e. 90 days)
Min PW age
Prompt x days before lockout
Number of attempts to login.
Automatic unlock after x minutes.
Show lockout failures.
What are account recovery options?
SMS
Email (default)
Password recovery questions limit on characters
What do you have to create each time you create a policy?
Anytime you create a policy, you have to create a rule.
You can include or exclude people of a particular group.
You can use zones (I.e. only change password if you are in on a network)
How do you create a Rule?
“Add Rule” > Rule Name > Exclude Users > If –> IP is Zone > Perform Self-service Password selections.
When can MFA be applied?
Multi-factor Authentication (MFA) can be applied at the moment a user signs on and also when accessing specific applications on the users homepage.
What is MFA?
MFA is an authentications method in which a user is granted access only after successfully presenting two or more pieces of evidenced (or factors).
What are factors?
Factors are often something that meets the criteria of something the users has (soft token) or something the user knows (security question)
It is a method of confirming users’ claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
What are the 3 steps to setting up MFA?
Select the factor
Factor Enrollment
Enforce the policy
What are ways to “select a factor”?
To set up multi-factor authentication, your first step is to choose the factor type users will encounter when signing into Okta or a specific application.
What are ways to “enroll”
When creating MFA policies, you associate groups as appropriate. You also indicate how the configured MFA factors are to be applied.
What are ways to enforce MFA?
Okta Sign-on policies are set up to enforce when you are prompting for an second factor and this can be set up for a specific group or for everyone in your Okta org.
What are the application-specific sign-on policies and rules?
Application sign-on policies have similar parameters to Okta sign-on policies;
- you assign a name and then specify the people the policy applies to,
- the network location information,
- and the associated access.
What is Okta Verify?
Is a soft-based token application owned by Okta and can be downloaded from the application stores.
Google Authenticator is a soft-based token application, but it is not owned by Okta. It can be downloaded from application stores and works on iOS, Android, and Blackberry.
SMS Authentication is a text message code that is sent to a phone.
Symantec, Duo, RSA, and Yubikey are third party tools that your company might use for MFA. You can also use these options with Okta.
Is Security Question a true MFA Option?
No. Security Question is not a true MFA option, but it can be used for end users who do not have a mobile device.
What are some of the MFA enrollment policies?
Are assigned to groups
Indicate how the configured MFA factors are to be applied.
Use rules to determine enrollment criteria of when and where
Are a good way to transition between MFA factors; such as a 3rd party provider to an Okta factor
What is the best way to transition from a 3rd party provider such as RSA to Okta?
Administrators can configure enrollment policies requiring users to configure both offerings on initial prompt. By making users configure both MFA factors, the administrators can eventually deactivate the 3rd party provider (RSA) but still have an active MFA factor through Okta.
What does the Okta default sign-on policy for MFA?
Similar to other features in Okta, there is a default sign-on policy.
The Default Policy is written so that Everyone accessing Okta from anywhere can log in without a multifactor authentication option enabled.
For specific use cases, you can create additional policies with associated rules.
For example, if you want members of a particular group, or specific people, to always be prompted for MFA when off network, create a policy and define the rule. The Okta Sign-on Policy enforces when the end user will promoted for the additional factor.
What is the workflow for MFA
User: AuthN request
Okta: Push Notification
Okta Verify: Code Accepted
Okta: AuthN accepted
Okta: Access request granted
Salesforce: App access granted
How do you configure MFA?Select factor
Security > MFA
Click on the factor and “Activate”
Build the factor enrollment policy: When are we going to have our end users enroll in multifactor factor?
“Add Multifactor Policy > Add Policy > Policy name – Description – Assigned to Groups > Effective factors – Okta Verify – Google AuthN – Security Question
Create a Rule. Add Rule > Zone > Enroll in Multi-factor > Users get prompted to be enrolled the next time they login.
Build the enforcement policy and select which factors
Security > AuthN > “Add Policy” - Polic Name – Description, Assigned to Group” > “Create Policy and Add Rule”
Add Rule > Select Zones - Authenticate via - Access is Allowed
Custom Policy goes to the top for the “Sales Staff”. For everyone else, you get default policy notice.
Can’t change the default pollicy. It’s a catch all.
What does Application sign-on policies allow the administrators to do?
To enforce MFA at the application level.
Which MFA options are applied to the user, depends on the MFA policies.
On the Sign On tab for applications, you can create application-specific sign-on policies and rules.
What is the application sign-on Workflow
User: Click application icon
Okta: Confirms that app requires MFA
Okta: Return MFA form to Users
User: Submits MFA credentials
Okta: Validates MFA and generates a SAML assertion.
Okta: Redirects the user to SF with a SAML assertion
Browser: Access SF
SF: Validates the assertion and grants access.
SF: Home page.
