OKTA Flashcards
What is Okta?
Okta is an identity and access management platform providing secure single sign-on, multi-factor authentication, lifecycle management, and more.
What is the primary role of an Okta org (organization)?
An Okta org is a private data container that represents your instance of Okta. It includes users, applications, policies, and configurations.
How does Okta differ from Active Directory?
Okta is a cloud-based IdP focusing on web-based authentication and integrations, while Active Directory is an on-premises directory solution from Microsoft primarily for Windows environments.
What is OIDC (OpenID Connect)?
OIDC is an identity layer on top of OAuth 2.0, allowing clients to verify the identity of end-users and obtain profile information in a RESTful, interoperable manner.
What is the difference between SAML and OIDC?
SAML is an older, XML-based protocol for SSO mainly used by enterprises. OIDC is a modern, JSON-based identity layer built on OAuth 2.0 and is often used for modern web and mobile apps.
What is the purpose of an Okta ‘Application’?
An Okta ‘Application’ is any external service or application integrated with your Okta org for identity-related services such as SSO, user provisioning, or MFA.
What are Okta ‘Groups’ used for?
Groups in Okta are used to manage users collectively, applying access policies or provisioning rules to a set of users rather than individuals.
How do you set up Multi-Factor Authentication (MFA) in Okta?
You enable MFA in the Security > Multifactor section of your Okta admin console, specify which factors (Okta Verify, SMS, etc.), and then assign policies to users or groups.
What is Okta Verify?
Okta Verify is a mobile app that serves as a second factor for Okta login, supporting push notifications and TOTP codes.
What is the ‘Okta Integration Network’ (OIN)?
The OIN is a catalog of thousands of pre-built integrations that allow Okta customers to quickly configure SSO and provisioning for commonly used applications.
What does ‘Just-In-Time (JIT)’ provisioning mean in Okta?
With JIT provisioning, user accounts are automatically created or updated in Okta (or an external application) at the time of user login, reducing manual administration.
How do you set up lifecycle management in Okta?
Using the Lifecycle Management feature, you can configure rules to provision and deprovision accounts in connected applications based on user status in Okta or a directory source.
What is Okta’s ‘Universal Directory’?
Universal Directory (UD) is Okta’s identity store that holds user attributes and can map or transform those attributes to downstream applications or directories.
What is a ‘Delegated Authentication’ in Okta?
Delegated Authentication allows Okta to authenticate users against an existing identity store (such as Active Directory), instead of storing and verifying credentials directly in Okta.
What is Okta’s API Access Management?
API Access Management in Okta extends OAuth 2.0 capabilities to secure API endpoints, enabling you to control which clients and users can access APIs.
What is an ‘API token’ in Okta, and how is it used?
An API token is a secret key used for authenticating to Okta APIs. Administrators generate it in the Admin Console, then use it in API calls to manage users, applications, or configurations.
How do you handle password policies in Okta?
You create a password policy under Security > Authentication > Password in the Admin Console, specifying strength requirements, complexity rules, and reset frequency. You then assign the policy to users or groups.
What are ‘Sign-On Policies’ in Okta?
Sign-On Policies control access to applications based on conditions like user groups, IP ranges, device, or risk-level. Administrators can enforce MFA or limit access based on these conditions.
What is the purpose of an ‘Authorization Server’ in Okta?
Authorization Servers (in the API Access Management context) issue tokens (JWT, for example) that applications use for secure API calls. Each server can have custom scopes, claims, and policies.
How can you integrate Okta with Microsoft Office 365?
Through the Okta Integration Network (OIN), you select the Office 365 integration. Then configure SSO (SAML or WS-Fed) and, optionally, user provisioning to sync user attributes and license assignments.
What is the ‘Okta Agent’ and what is it used for?
Okta provides various agents (AD Agent, LDAP Agent, IWA Agent) that connect your on-prem directory to Okta for user import, authentication delegation, and provisioning tasks.
What are ‘Access Requests’ in Okta?
Access Requests provide a workflow for employees to request access to applications or roles, which can then be approved or denied by designated reviewers. This is part of Okta’s Identity Governance offerings.
What is Okta ‘Adaptive MFA’?
Adaptive MFA is Okta’s context-aware MFA solution that evaluates device, network, location, and user behavior signals to prompt for additional factors only when there’s a risk.
How does ‘Device Trust’ work with Okta?
Device Trust ensures only devices that meet specific security standards (like having a certificate installed or being domain-joined) can access certain applications through Okta.
What is ‘ThreatInsight’ in Okta?
ThreatInsight is a feature that uses data from Okta’s global network to detect and block authentication attempts from malicious or suspicious IP addresses.
What is the difference between ‘Push Groups’ and ‘Group Push’ in Okta?
‘Push Groups’ generally refers to pushing Okta groups to applications. ‘Group Push’ is specifically configuring Okta to provision or update group membership in a connected application to match Okta.
How do you troubleshoot user login issues in Okta?
Check System Log for errors, verify user group/policy assignments, ensure correct MFA enrollment, confirm user password is valid or delegated, and review network or browser issues.
What are ‘Inline Hooks’ in Okta?
Inline Hooks are custom callouts that let you extend Okta’s out-of-the-box functionality (e.g., customizing authentication, registration, or token issuance) with external logic.
How does ‘Custom Error Pages’ configuration work in Okta?
Under Customization > Custom Error Pages in the Admin Console, you can upload a custom page or configure brand elements. This way, you control the look and feel of error messages for end-users.
What is SCIM and how does Okta use it?
SCIM (System for Cross-domain Identity Management) is an open standard for automating user provisioning. Okta can leverage SCIM to automatically create, update, or deactivate user accounts in external apps.
What are best practices for securing Okta API tokens?
Store tokens securely (e.g., in a vault), limit their scope, rotate them regularly, and do not hard-code them in source code or share them externally.
How does Okta compare to Entra ID for single sign-on (SSO)?
Both Okta and Entra ID offer SSO capabilities, but Okta has a broader catalog of pre-built integrations (OIN). Entra ID integrates deeply with Microsoft 365 and other Azure services.
What are the main differences in MFA between Okta and Entra ID?
Okta supports Adaptive MFA and a wide range of authenticators (like Okta Verify), while Entra ID integrates closely with Microsoft Authenticator. Both can enforce conditional access, but they have different rule sets and administration UIs.
How do Okta and Entra ID differ in terms of licensing?
Okta has separate subscription tiers and add-ons (e.g., MFA, Lifecycle Management), while Entra ID (Azure AD) licensing is often bundled with Microsoft 365/EMS plans. Costs can vary depending on the organization’s existing Microsoft licenses.
Which platform integrates better with Microsoft 365, Okta or Entra ID?
Entra ID integrates natively with Microsoft 365, offering built-in provisioning and licensing. Okta also offers robust integration but relies on the Okta Integration Network and additional configuration steps for the same depth of integration.
What about user provisioning: Okta vs. Entra ID?
Both use SCIM-based provisioning. Okta’s Lifecycle Management is vendor-neutral and offers extensive pre-built provisioning connectors. Entra ID integrates directly with Microsoft services, with additional 3rd-party connectors available via the Azure AD app gallery.
How does device management compare between Okta and Entra ID?
Okta focuses on identity-centric device trust (certificates, domain join checks), while Entra ID ties into Intune and Microsoft Endpoint Manager for deeper device compliance policies in the Microsoft ecosystem.
Does Okta support conditional access policies similar to Entra ID?
Yes, Okta has sign-on policies and adaptive MFA, which function similarly to Entra ID’s conditional access. However, Microsoft’s conditional access offers tighter integrations with the broader Microsoft ecosystem and device compliance checks via Intune.
How does each solution handle B2B collaboration?
Okta provides B2B solutions by allowing external user accounts from other IdPs (via federation) or social logins. Entra ID’s B2B supports guest users in Microsoft 365 and cross-tenant access settings in Azure to streamline collaboration within the Microsoft world.
Which platform typically handles external customer identity (B2C) better?
Okta Customer Identity Cloud (Auth0) and Okta CIAM handle custom B2C scenarios, while Microsoft has Entra ID B2C. Each supports branded login pages, social identity providers, and custom user journeys. The choice often depends on the ecosystem and customization needs.
How does integration with on-premises Active Directory compare between Okta and Entra ID?
Entra ID has a native sync via Azure AD Connect for AD domain-joined users. Okta requires installing the Okta AD Agent. Both achieve user sync and delegated auth, but Microsoft’s solution is more seamless in a full Microsoft environment.
Can you manage Mac and Linux systems similarly in Okta and Entra ID?
Okta is platform-agnostic and uses device trust or third-party MDM integrations. Entra ID can enroll macOS and Linux devices, but typically relies on Microsoft Endpoint Manager or other solutions for deeper configuration management.
How do you approach identity governance in Okta vs. Entra ID?
Okta Identity Governance focuses on lifecycle management, access requests, and certification campaigns. Entra ID Governance (Azure AD P2) provides similar features with Access Reviews, Privileged Identity Management (PIM), and entitlement management. The core functionalities overlap, but each has unique workflows.
What about reporting and analytics in Okta compared to Entra ID?
Okta offers system logs, insights, and security reports within its admin console and APIs. Entra ID provides Azure Monitor, Azure Sentinel (Microsoft Sentinel), and Power BI integrations for more extensive analytics in the Microsoft cloud.
Which solution is easier if I’m already invested in Microsoft 365?
Entra ID is typically more straightforward if you’re fully in the Microsoft ecosystem because it’s tightly integrated with Microsoft 365, Teams, and other Azure services. Okta can still integrate well but often requires additional setup steps for the same level of seamlessness.
What is the Okta Identity Engine (OIE)?
Okta Identity Engine is Okta’s next-gen platform that offers more flexible authentication and customization flows compared to the Classic Okta org experience.
How does Okta support FIDO2/WebAuthn?
Okta allows you to enable FIDO2/WebAuthn factors so that users can authenticate with security keys or built-in platform authenticators (e.g., Touch ID, Windows Hello).
What is an Okta ‘dynamic group’?
A dynamic group uses a rule-based membership. Users automatically join or leave the group based on attributes (e.g., department, title) in their Okta profile.
How do you perform device posture checks in Okta?
Device posture checks can be configured via integrations with endpoint management tools, Device Trust, or Okta’s Adaptive MFA policies that consider device health and compliance.
What is ‘Expression Language’ in Okta?
Okta’s Expression Language is a syntax used for attribute mappings, group rules, and custom policies (e.g., user.firstName + ‘.’ + user.lastName).
