09 - Okta Policy Network

Question 1

What is Okta’s MFA enrollment policy

Demonstrate knowledge of the policy types available in Okta and their functionalities

Answer 1

Use the Multifactor Policies tab to create and enforce policies for your chosen MFA factors and the groups that are subject to them. Sign-on policies determine the types of authentication challenges these users receive.

An MFA policy can be based on a variety of factors, such as location, group definitions, and authentication type. It can also specify actions to take, such as allowing access or prompting for a challenge.

Add a new policy by navigating to Factor Enrollment and clicking Add Multifactor Policy.

Change the order of policies, except the Default Policy, by dragging the bar on the blue policy name, thereby rearranging the list.

The Default Policy: The default policy applies when no other policy has been set. It also immediately reflects the factors you chose under the Factor Type tab.

Question 2

Demo 1: Multifactor Authentication

Demonstrate knowledge of the policy types available in Okta and their functionalities

Answer 2

Multifactor Authentication

Test Multifactor Authentication

3

c. The dialog box will refresh with the final step to set up Okta Verify.
d. On your mobile device, open the app store. Search for and install Okta Verify.
e. Open the Okta Verify app.
f. On the Welcome to Okta Verify screen, tap Add Account.
g. Hold your device up to the computer screen and scan the barcode.
h. Click Done.

Question 3

Demo 1: Multifactor Authentication

Demonstrate knowledge of the policy types available in Okta and their functionalities

Answer 3

Multifactor Authentication

Test Multifactor Authentication

4. Select and answer a forgot password question.
5. Select a security image.
6. Click Create My Account.
7. In the top bar, click Faith > Sign out.

Question 4

Demo 1A: Password Policy Types

Demonstrate knowledge of the policy types available in Okta and their functionalities

Answer 4

Password Policy Types

Create an Application Sign on Policy

8. Under Location, leave the default Anywhere selection. Notice that if you select the other options this can trigger how this policy could be applied to the zones you defined earlier.

Question 5

Demo 1A: Password Policy Types

Demonstrate knowledge of the policy types available in Okta and their functionalities

Answer 5

Password Policy Types

Create an Application Sign on Policy

8. Under Location, leave the default Anywhere selection. Notice that if you select the other options this can trigger how this policy could be applied to the zones you defined earlier.

Question 6

Demo 1A: Password Policy Types

Demonstrate knowledge of the policy types available in Okta and their functionalities

Answer 6

Password Policy Types

Test the Application Sign on Policy

1. Log out of Okta as the Administrator 2. Login in as frank.molen.

Username: frank.molen

Password: Tra!nme4321
3. Click on the Salesforce app and you will be prompted to set up an MFA Factor.

4. Did you get prompted for MFA?
5. Enter your factor and login into Salesforce.
6. Sign out of and close the Salesforce browser tab. 7. Log out as frank.molen.

Conclusion

Now that you have created an Okta password policy and configured MFA, you are now ready to learn about attribute mappings.

Question 7

Demo 1A: Password Policy Types

Demonstrate knowledge of the policy types available in Okta and their functionalities

Answer 7

Password Policy Types

Create an Application Sign on Policy

Enable MFA

1. Under Actions, select Prompt for factor and select Every sign on.
2. Click Save.

Question 8

Demo 2: Okta Essentials Module 5: Implement the Okta Policy Framework

Demonstrate knowledge of when to use each policy

Answer 8

Okta Essentials Module 5: Implement the Okta Policy Framework

Question 9

Demo 3: Security Policies

Demonstrate understanding of how policies are applied based on the policy priority order

Answer 9

Security Policies

Question 10

Demo 4: Password Policy Types

Demonstrate understanding of the importance of the default policies in Okta

Answer 10

Password Policy Types

Question 11

What are the steps in creating an Okta-Mastered Password Policy

Answer 11

1. Point to Security and click Authentication.
2. You will land on the Password tab. Click Add New Password Policy. 3. In the Add Policy dialog box, perform the following:

In the Policy Name field, type the following: Okta Accounts

In the Policy description field, type the following: Okta-mastered user

password policy

IntheAddgroupfield,typeandselectthefollowing:Salesand

Marketing

Under Authentication Providers, in the Applies to list, verify that

Okta is selected.

Question 12

What are the 4 types of Okta Policies

Answer 12

About app sign-on policies

About MFA enrollment policies

About Okta sign-on policies

About password policies

Question 13

What is Okta’s App Sign-on policy

Answer 13

App sign-on policies allow or restrict access to applications. By default, all Client options in the App Sign On Rule dialog box are pre-selected. To configure more granular access to the app, selectively apply conditions as you create one or more prioritized rules based on:

Who users are and/or the groups to which they belong

Whether they are on or off network or within a defined network zone

The type of client running on their device (Office 365 apps only)

The platform of their mobile or desktop device

Whether or not their devices are Trusted

Important to know about the User-Agent

Okta’s Client Access Policies (CAPs) allow you to manage access to your enterprise apps based on the client type and device platform. Okta CAPs evaluate information included in the User-Agent request header sent from the users’ browser. Because the User-Agent can be spoofed by a malicious actor, you should consider using a whitelist approach when you create CAPs and require MFA or Device Trust as described in the following best practices:

Implement a whitelist consisting of one or more rules that specify the client type(s) + device platform(s) + trust posture combinations that will be allowed to access the app.

Require Device Trust or MFA for app access.

Include a final catch-all rule that denies access to anything that does not match any of the CAPs preceding rules.

MFA and legacy protocols

While you can configure your App Sign-On Policies to prompt end users for MFA, be aware that legacy protocols such as POP or IMAP do not support MFA even if MFA is configured for Okta sign-in.

To ensure that authentication to apps remains secure, Okta strongly recommends that you evaluate the following:

The use of legacy protocols with Microsoft Office 365 applications and whether to disable them if necessary

Whether to enable Modern Authentication on Microsoft Office 365 tenants for improved security

Question 14

What is Okta’s Sign on Policy

Answer 14

Okta sign-on policies can specify actions to take, such as allowing access, prompting for a challenge, and setting the time before prompting for another challenge. You can specify the order in which policies are executed and add any number of policies. If a policy in the list does not apply to the user trying to sign in, the system moves to the next policy.

You can specify any number of policies and the order in which they are executed. There is one required policy named Default. By definition, the default policy applies to all users.

In addition to the default policy, which you cannot delete, there is another policy named Legacy that is present only if you have already configured MFA. This policy reflects the MFA settings that were in place when you enabled your sign-on policy, and ensures that no changes in MFA behavior occur unless you modify your policy. If needed, you can delete it.

When a policy is evaluated, the conditions in the policy are combined with the conditions in the associated rules. Rules are applied when all these conditions are met.

Note: A policy with no rules cannot be applied.

Policies can contain multiple rules, and the order of the rules determines their behavior.

Question 15

What is Okta’s Password Policy

Answer 15

Password policies enables admins to define password policies and associated rules that enforce password settings at the group and authentication-provider level. Okta provides a default policy to enforce the use of strong passwords to better protect your organization’s assets. Admins can also create additional policies that are less or more restrictive and apply them to users based on group membership.

Group Password Policy is now enabled for all orgs:

The Password tab on the Authentication page displays all group password policies. Initially, only the Default Policy and the Default Rule appear.

If Group Password Policy was previously not enabled, the Password tab now displays the Legacy Policy and the new Default Policy. The Legacy Policy reflects the org settings present when Group Password Policy was enabled and includes the Legacy Rule and the additional Default Rule.

Question 16

What is Okta’s Group Password Policy

Answer 16

Using Group Password Policy

With group password policies, you can:

Define password policies and associated rules to enforce password settings on the group and authentication-provider level.

Create multiple policies with more or less restrictive rules and apply them to different groups.

Use policies to enforce the use of strong passwords to better protect your organization’s assets.

An error can occur during provisioning when user’s Okta password meets the password policies requirements while the password policy itself does not. Ensure that the Okta password policy meets the application’s requirements, typically, eight characters with an upper and lower case character and either a symbol or number.

Question 17

What is Okta’s Policy on AD and LDAP Mastered Users

Answer 17

Active Directory (AD) and LDAP mastered users

Group Password Policies are enforced only for Okta and Active Directory (AD) and LDAP mastered users.

For AD and LDAP mastered users, ensure that your AD and LDAP password policies don’t conflict with Okta policies. Passwords for AD and LDAP mastered users are still managed by the directory service. For example, some applications, such as Microsoft Office 365 and Google G Suite, check an Okta password policy when provisioning a user to ensure that the Okta policy meets the application’s password requirements.

Previous Group Password Policy options are not retained after the LDAP Group Password Policy feature is disabled.

When the LDAP Group Password Policy feature is enabled, a custom password policy message cannot be used and previous password policy messages are not applied.

When LDAP delegated authentication is disabled, the LDAP Group Password Policy no longer applies to LDAP mastered users.

Question 18

What is Okta’s Password Policy Evaluation

Answer 18

Password Policy evaluation

A password policy is evaluated using the following criteria:

Complex requirements are evaluated when the password is set.

On the current policy and when the user last set their password, unless the user’s password is already expired in which case it remains expired.

For AD and LDAP mastered users, the AD and LDAP complexity requirements should match the AD and LDAP instances.

Question 19

What is Okta’s Password Policy Types

Answer 19

Default policy: All Okta-mastered users are subject to the Default Policy unless another policy applies. The Default Policy cannot be deactivated or deleted, and always holds the lowest ranking within the policy list.

Legacy Policy: In previous versions of the platform, password policy settings were located on the Security > General page. For orgs that were created before Group Password Policy was enabled, the Legacy policy and associated Legacy rules are preserved. Existing password policy settings for an org are copied to the Legacy Policy. All Legacy policy and rule settings are configurable.

Active Directory Policy: If you currently have one or more Active Directory (AD) integrations, an AD policy is automatically created for you. You can customize the elements of the policy and its rules.

LDAP Policy: If you currently have one or more LDAP integrations, an LDAP policy is automatically created for you. You can customize the elements of the policy and its rules

Question 20

1. What is the advantage of configuring security within Okta?

Answer 20

Configuring security within Okta enables you to provide additional security layers on sensitive corporate data, while also enabling users to access data and applications securely. The Okta Policy Framework allows admins to configure password requirements, sign-on options, mobility requirements, and a lot more. The framework allows policies to be scoped to specific groups and can be applied to individual applications.

Question 21

The Okta Policy Framework allows admins to configure what?

Answer 21

Password requirements,

sign-on options,

mobility requirements, and a lot more.

The framework allows policies to be scoped to specific groups and can be applied to individual applications.

Question 22

How are policy applied?

Answer 22

Policies are assigned to any group type and are applied sequentially.

For example, if you have two policies mapped to the same group, the second policy will never be executed.

All policies have associated rules that follow the same principle.

Question 23

How are policies different from rules?

Answer 23

While the specifics of policy rules are different for each policy type, rules are always context-scoped and policies are group-scoped.

Question 24

What are the different types of Policy?

Answer 24

Password: Define password policies and associated rules to enforce password settings at the group and authentication-provider level.

Multifactor: Use the Multifactor Policies tab to create and enforce policies for your chosen MFA factors and the groups that are subject to them.

Okta Sign-on: Sign-on policies determine the types of authentication challenges users receive.

Application Sign-on: Define application-level access parameters.

Question 25

What is a network zone?

Answer 25

A network zone is a security perimeter used to limit or restrict access to a network based on a single IP address, one or more IP address ranges, or a list of geolocations.

Network zones are defined and maintained by admins who wish to improve and strengthen network security for their organization and users.

Question 26

What is IP Zone?

Answer 26

Create ranges of gateway IPs and Proxy IPs.

Question 27

What is dynamic Zone?

Answer 27

Create zones by country and region.

Question 28

The following Okta features use public gateway IPs:

Answer 28

Desktop SSO: Prevents the SSO redirect (to the IWA site) from occurring when accessed off premises.

Multi-factor Authentication (MFA): Permits an administrator to require MFA only when the system is accessed off premises.

Application Sign On Policies: Permits denial of access to certain applications when accessed off premises.

VPN notifications: Occurs when an off-premise application access requires on-premise access through a VPN connection.

Question 29

Why do we use zones?

Answer 29

We use zones for all different reasons. We can use zones to allow access or we can use zones to deny access. We saw zones saying hey if you were in my network –but we can also use zones for different policies.

Question 30

How do you set up zones?

Answer 30

Security > Networks > “Add Zones”

Select IP Address or Dynamic Zones

Dynamic zones > Name -> IP Type -> Locations > Save

IP Zones > Gateway IPs > Proxy IPs

Question 31

How does Okta enable you to define password policies?

Answer 31

As specific as you require. You can define policies based on groups and/or the authentication provider.

For example, you might have an external Sales team that are all Okta-mastered users, while your internal Sales team is all Active Directory mastered accounts. In Okta, you can create similar or unique password policies for these groups.

Question 32

How do you set up Password Policies in Okta?

Answer 32

Security > Authentication > Password policies > “Add New PW Policy” > Okta or Active Directory > Create Rule

Question 33

What are default policies?

Active Directory Policy

Default Policy

Answer 33

Active Directory Policy

Default Policy

Question 34

What do “default policy” apply to?

Answer 34

Okta Mastered users.

Question 35

What is the default policy for Active Directory?

Answer 35

“Active Directory Policy”

Question 36

What are some of the password policies?

PW length complexity requirements

Restrict use of password like “password”

Password aging

Enforce password history for the pass “4” passwords

Password expiration (I.e. 90 days)

Min PW age

Prompt x days before lockout

Number of attempts to login.

Automatic unlock after x minutes.

Show lockout failures.

Answer 36

PW length complexity requirements

Restrict use of password like “password”

Password aging

Enforce password history for the pass “4” passwords

Password expiration (I.e. 90 days)

Min PW age

Prompt x days before lockout

Number of attempts to login.

Automatic unlock after x minutes.

Show lockout failures.

Question 37

What are account recovery options?

Answer 37

SMS

Email (default)

Password recovery questions limit on characters

Question 38

What do you have to create each time you create a policy?

Answer 38

Anytime you create a policy, you have to create a rule.

You can include or exclude people of a particular group.

You can use zones (I.e. only change password if you are in on a network)

Question 39

How do you create a Rule?

Answer 39

“Add Rule” > Rule Name > Exclude Users > If –> IP is Zone > Perform Self-service Password selections.

Question 40

When can MFA be applied?

Answer 40

Multi-factor Authentication (MFA) can be applied at the moment a user signs on and also when accessing specific applications on the users homepage.

Question 41

What is MFA?

Answer 41

MFA is an authentications method in which a user is granted access only after successfully presenting two or more pieces of evidenced (or factors).

Question 42

What are factors?

Answer 42

Factors are often something that meets the criteria of something the users has (soft token) or something the user knows (security question)

It is a method of confirming users’ claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.

Question 43

What are the 3 steps to setting up MFA?

Answer 43

Select the factor

Factor Enrollment

Enforce the policy

Question 44

What are ways to “select a factor”?

Answer 44

To set up multi-factor authentication, your first step is to choose the factor type users will encounter when signing into Okta or a specific application.

Question 45

What are ways to “enroll”

Answer 45

When creating MFA policies, you associate groups as appropriate. You also indicate how the configured MFA factors are to be applied.

Question 46

What are ways to enforce MFA?

Answer 46

Okta Sign-on policies are set up to enforce when you are prompting for an second factor and this can be set up for a specific group or for everyone in your Okta org.

Question 47

What are the application-specific sign-on policies and rules?

Answer 47

Application sign-on policies have similar parameters to Okta sign-on policies;

1. you assign a name and then specify the people the policy applies to,
2. the network location information,
3. and the associated access.

Question 48

What is Okta Verify?

Answer 48

Is a soft-based token application owned by Okta and can be downloaded from the application stores.

Google Authenticator is a soft-based token application, but it is not owned by Okta. It can be downloaded from application stores and works on iOS, Android, and Blackberry.

SMS Authentication is a text message code that is sent to a phone.

Symantec, Duo, RSA, and Yubikey are third party tools that your company might use for MFA. You can also use these options with Okta.

Question 49

Is Security Question a true MFA Option?

Answer 49

No. Security Question is not a true MFA option, but it can be used for end users who do not have a mobile device.

Question 50

What are some of the MFA enrollment policies?

Answer 50

Are assigned to groups

Indicate how the configured MFA factors are to be applied.

Use rules to determine enrollment criteria of when and where

Are a good way to transition between MFA factors; such as a 3rd party provider to an Okta factor

Question 51

What is the best way to transition from a 3rd party provider such as RSA to Okta?

Answer 51

Administrators can configure enrollment policies requiring users to configure both offerings on initial prompt. By making users configure both MFA factors, the administrators can eventually deactivate the 3rd party provider (RSA) but still have an active MFA factor through Okta.

Question 52

What does the Okta default sign-on policy for MFA?

Answer 52

Similar to other features in Okta, there is a default sign-on policy.

The Default Policy is written so that Everyone accessing Okta from anywhere can log in without a multifactor authentication option enabled.

For specific use cases, you can create additional policies with associated rules.

For example, if you want members of a particular group, or specific people, to always be prompted for MFA when off network, create a policy and define the rule. The Okta Sign-on Policy enforces when the end user will promoted for the additional factor.

Question 53

What is the workflow for MFA

Answer 53

User: AuthN request

Okta: Push Notification

Okta Verify: Code Accepted

Okta: AuthN accepted

Okta: Access request granted

Salesforce: App access granted

Question 54

How do you configure MFA?Select factor

Answer 54

Security > MFA

Click on the factor and “Activate”

Build the factor enrollment policy: When are we going to have our end users enroll in multifactor factor?

“Add Multifactor Policy > Add Policy > Policy name – Description – Assigned to Groups > Effective factors – Okta Verify – Google AuthN – Security Question

Create a Rule. Add Rule > Zone > Enroll in Multi-factor > Users get prompted to be enrolled the next time they login.

Build the enforcement policy and select which factors

Security > AuthN > “Add Policy” - Polic Name – Description, Assigned to Group” > “Create Policy and Add Rule”

Add Rule > Select Zones - Authenticate via - Access is Allowed

Custom Policy goes to the top for the “Sales Staff”. For everyone else, you get default policy notice.

Can’t change the default pollicy. It’s a catch all.

Question 55

What does Application sign-on policies allow the administrators to do?

Answer 55

To enforce MFA at the application level.

Which MFA options are applied to the user, depends on the MFA policies.

On the Sign On tab for applications, you can create application-specific sign-on policies and rules.

Question 56

What is the application sign-on Workflow

Answer 56

User: Click application icon

Okta: Confirms that app requires MFA

Okta: Return MFA form to Users

User: Submits MFA credentials

Okta: Validates MFA and generates a SAML assertion.

Okta: Redirects the user to SF with a SAML assertion

Browser: Access SF

SF: Validates the assertion and grants access.

SF: Home page.