Okta Flashcards

Question 1

Q

What are mandatory components when creating your Okta Org?

Answer

A

People and Applications

Question 2

Q

What are optional components when creating your Okta Org

Answer

A

Groups and Directories

Question 3

Q

Can you change the account master for an account at any time after creation? For example, directory-mastered accounts can change to Okta-mastered when an external directory is decommissioned.

Question 4

Q

If users want to access applications from a mobile device, what app should they use?

Answer

A

Okta Mobile

Question 5

Q

On initial Okta authentication, what is required for non-SAML configured applications?

Answer

A

The Okta browser plugin. After the plugin is installed, users can access the applications as necessary.

Question 6

Q

What is an Agent?

Answer

A

A lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta’s cloud service.

Question 7

Q

What is the Application Integration Wizard (AIW)? And what kind of apps can you create with it?

Answer

A

If the application that you want to add does not already exist in the OIN, create it with the AIW. The AIW allows you to create custom SWA, SAML 2.0, and OIDC apps with immediate functionality.

Question 8

Q

What is Attribute level mastering (ALM)?

Answer

A

It’s an enhancement to the profile-mastering concept. ALM changes the profile-mastering model by allowing administrators to override the source that masters the entire Okta user profile.

Question 9

Q

What is an Identity Provider (IdP)?

Answer

A

It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.

Question 10

Q

What is OpenID Connect (OIDC)?

Answer

A

An authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled
by the OpenID Foundation.

Question 11

Q

What is a Profile Master?

Answer

A

A profile master is an application (usually a directory service such as Active Directory, or human capital
management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time.

Question 12

Q

What is Provisioning?

Answer

A

CRUD - The ability to automatically create, read, update and deactivate a user in an application

Question 13

Q

What does SP mean and how does it work with Okta?

Answer

A

An acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process.

Question 14

Q

What is SWA and what does it do?

Answer

A

An acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don’t support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully.

Question 15

Q

What is a Template App?

Answer

A

An app that can be used to create custom applications that are not in the OIN.

Question 16

Q

What are the traits of Okta-mastered Users?

Answer

A

Created and Maintained in Okta
Authenticate against the Okta policy
Associated with Okta groups
Provide an alternate login method separate from an external directory
Governed by the Okta user profile

Question 17

Q

What are the traits of Directory-Mastered Users?

Answer

A

Created and Maintained in the external directory
Pulled into Okta
Authenticate against the external directory
Associated with directory or Okta groups
Governed by the directory user profile

Question 18

Q

What are the traits of Application-Mastered users?

Answer

A

Created and maintained in the application
Pushed to Okta
Authenticate against Okta or external directory
Governed by the application user profile

Question 19

Q

What can an Okta-mastered Admin do around password and account management?

Answer

A

Define authentication settings in Okta
Manage account unlocks and resets through the Okta Administrator app
Can mass reset passwords

Question 20

Q

What can an Okta-Mastered USER do around password and account management?

Answer

A

Can modify account information and change passwords on the account settings page
Can use the Forgot password link to reset password

Question 21

Q

What can a Directory-Mastered Admin do around password and account management?

Answer

A

Define authentication settings in the directory service

* Manage all account changes through the directory service

Question 22

Q

What can/can’t a Directory-Mastered USER do around password and account management?

Answer

A

UNABLE to modify account information on the account settings page
Ability to change or reset passwords determined by administrator configuration

Question 23

Q

What does enabling the Active Directory Password Policy options in Okta do?

Answer

A

It enables users to reset or change Active Directory passwords through the Okta interface.

Alternatively, you can disable delegated authentication and enable Sync Password, which passes the Okta password to Active Directory. Regardless of how you enable directory-mastered accounts to change passwords, the password policies are governed by the directory service server.

Question 24

Q

What can a Super Admin do?

Answer

A

Has full access to perform all administrative tasks and permission sets in Okta

Question 25

Q

What CANT an Organization Admin do?

Answer

A

Add, remove, and view administrators
Add, delete, and edit scope, claim, and policy on an authorization server
Edit default email settings for other admins
Add users to a group assigned admin privileges
Assign admin privileges to a group
NO application actions (view, add, assign, etc.)
No OMM Application actions

Question 26

Q

What can an Application Admin do?

Answer

A

Can run reports and manage profile information
• Can view users and groups, but not modify either
• Can manage information on applications to which they are assigned access

Question 27

Q

What CAN a Group Admin do?

Answer

A

All actions under User Management (View, activate, deactivate, edit profiles, password/MFA resets, create/delete users, clear user session)
View groups
Add Users to groups
Remove users from groups
Create/view user tokens
View user social tokens

Question 28

Q

What can a Read-Only Admin do?

Answer

A

Can view and run reports
• Can view users, groups, and applications, but cannot modify any settings
• Can view, but not modify organizational settings

Question 29

Q

What can a Help-Desk Admin do?

Answer

A

Can View users
• Can reset password and MFA
• Can clear user session

Question 30

Q

How do you create an individual Okta-Mastered User?

Answer

A

Directory > People > Add Person

Question 31

Q

How do you import multiple Okta-Mastered Users?

Answer

A

People > More Actions > Import from CSV > Download CSV template

Question 32

Q

For Directory-Mastered users, where do you perform account changes (including status changes)?

Answer

A

In the directory service. For example, if an employee has left the company and their account is mastered in Active Directory, change the status in Active Directory. The Okta Active Directory agent pulls the status update from Active Directory and pushes it to Okta. Okta then deactivates the user account.

Question 33

Q

When an account has a Provisioned status, what must occur to change the status to Active? (2 options)

Answer

A

An administrator can manually activate the account.
With Just-in-time (JIT) provisioning enabled, the user authenticating to Okta for the first time changes the account to Active.

Question 34

Q

Only Okta-mastered users can be suspended. True or False?

Answer

A

True. If an account associated with an API token is suspended, the token cannot be used.

Question 35

Q

What happens if an account associated to a directory agent token is suspended?

Answer

A

If the account associated to a directory agent token is suspended, the agent stops working and users will not be able to authenticate.

Question 36

Q

Before an account can be deleted, it must first be deactivated. True or False?

Question 37

Q

You can deactivate an account through the Okta Admin app or API. T or F?

Question 38

Q

After an account is deleted, can administrators create a new Okta user with the same username as the deleted one?

Question 39

Q

Which Admin roles can delete a user?

Answer

A

Super Admin, Org Admin, and Group

Admin

Question 40

Q

The Okta system log retains past events that the deactivated user performed; How long does the log retain the activity?

Answer

A

The last 6 months

Question 41

Q

How many Active Directory agents does Okta recommend you setup for each domain?

Answer

A

2 or more

Question 42

Q

If you are setting up 2 Active Directory agents, will the setup be the same or different for both agents?

Answer

A

Same for both

Question 43

Q

Does installing multiple agents in close geographical proximity to your users enhance performance?

Question 44

Q

When you have multiple agents installed, how does the system know which agent to use?

Answer

A

The system will automatically select the appropriate agent based on user location.

Question 45

Q

What system requirements are needed for you to successfully install and configure the Okta Active Directory agent?

Answer

A

• Windows Server 2008 R2 or later
• 256Mb RAM
• Should be a domain member server 
• Always on
The host server of the agent must also be a member of the same Windows domain as the Active Directory users.

Question 46

Q

What USER account requirements are needed for you to successfully install and configure the Okta Active Directory Agent?

Answer

A

Active Directory administrator account
Okta Super Administrator
Okta Active Directory service account

Question 47

Q

During the AD server installation, you are asked if you want to let the installer create the Okta Active Directory service account. To do so, what are the permissions you must have for this?

Answer

A

Must be a member of the domain admins group because you must be able to create a new Active Directory user in Active Directory that will act as the Active Directory agent service account.
• Must have local administrator privileges

Question 48

Q

Do you need to create an Okta mastered administrator account before you begin installing the Active Directory agent?

Answer

A

Yes. This user should have an Okta-specific password and not an Active Directory password.

Question 49

Q

How do you setup Active Directory with Okta?

Answer

A

Directory > Directory Integrations > Add Active Directory > Setup Active Directory > Download Agent

Question 50

Q

When importing users from AD, where can you specify the behaviors for exact, partial, and no matches on user accounts imported from AD?

Answer

A

Import Matching Rules

Question 51

Q

What is JIT Provisioning?

Answer

A

Enables automatic user account creation in Okta the first time a user authenticates with one of the following methods:
AD Delegated Authentication, Desktop SSO, Inbound SAML
Will not create a new account for existing users or for accounts that have been confirmed but not activated. However, JIT will update an existing user’s profile at their next log in.

Question 52

Q

What provisioning features are enabled wiehn AD is the main user store?

Answer

A

CRUD(eactivate)
Profile master
Sync password

On user creation, admins can also specify activation email recipients.

Admins can also specify different username and common name formats

Question 53

Q

If customers are transitioning away from AD to Okta as a user store, what features need to be enabled to make Okta the source of truth on user attributes?

Answer

A

“Update user attributes” and “deactivate users”

Question 54

Q

What is Desktop SSO?

Answer

A

When a user authenticates to the network via desktop and then opens a browser to access Okta, Okta detects the IP address and automatically authenticates the user into Okta and applications

Question 55

Q

What is Okta IWA?

Answer

A

Microsoft Integrated Windows Authentication. A lightweight Internet Information Services (IIS) web app that enables Desktop SSO on the Okta Service.

Question 56

Q

What are the server requirements to integrate an LDAP directory?

Answer

A

• Windows-based agent:
o Windows Server 2008 R2 or
newer
o Windows server must beable to reach the LDAP host and port.
• Linux-based agent must be installed on an RPM-enabled Linux distribution such as CentOS or Red Hat. We also support DPKG enabled Linux distributions such as Debian or Ubuntu.

Question 57

Q

What are the Vendor Template requirements to integrate LDAP?

Answer

A

OpenDJ
OpenLDAP
OracleInternetDirectory
IBM
SunOneLDAP5.2+,6.*,and7.* ActiveDirectoryLightweightDirectory Services (AD LDS)

Question 58

Q

What are the required USER accounts to integrate LDAP Agent?

Answer

A

A designated Okta administrator service account
Local LDAP service account
A designated LDAP user

Question 59

Q

What are the 3 types of groups you can create?

Answer

A

Okta groups, directory groups, application groups

Question 60

Q

What are the traits of an Okta group?

Answer

A

Okta groups are created and membership is managed in Okta.

* The members of Okta groups can be Okta, directory, or application-mastered users.

Question 61

Q

What are the traits of Directory Groups?

Answer

A

Directory groups are created and membership is managed in the external directory service.
Only directory-mastered users can be members of directory groups; this is established in the external directory service.
Directory groups are copied into Okta.
If the external directory instance is deactivated or deleted, the associated groups NO LONGER APPEAR in Okta.

Question 62

Q

What are the traits of Application Groups?

Answer

A

Application groups are created and membership is managed in the application.
Members of application groups are pulled into Okta during application creation.
Application groups are copied into Okta.
If the application connector is deactivated or deleted, the group NO LONGER APPEARS in Okta.

Question 63

Q

How do you create a group in Okta?

Answer

A

Directory > Groups > Add Group

Question 64

Q

How are the different groups identified in Okta?

Answer

A

Icons - Okta icon, AD Icon, and application icon

Answer 60

A

You must delete the group on the directory service or application and then perform a FULL Import

Answer 61

A

An encrypted format using AES encryption combined with a customer-specific private key

Answer 62

A

User sets username and password
Admin sets username, user sets password
Admin sets username, password is the same as user’s Okta password
Admin sets a single username and password

Answer 63

A

Yes. For ex. GSuite requires tokens and you specify which links to display on the user application page (gmail, drive, calendar, etc.)

Answer 64

A

True. You can create rules to define criteria consisting of:

Conditions: who and where
Actions: what and how

Answer 65

A

Applications > Choose App > Sign On Tab > Sign On Policy Section > Add Rule

Answer 66

A

People: specify the who of the policy

- Location: specify the where of the policy; anywhere or network specific

Answer 67

A

Access: specify the what type of access: allowed or network specific
MFA: specify if the additional access through multifactor is required

Answer 68

A

Yes. This is useful for admins with multiple accounts or users with access to multiple Okta orgs.

Answer 69

A

User: End-user trying to authenticate the service
Service Provider (SP): the app or website the user is trying to access
Identity Provider (IdP): the entity that actually authenticates the user; in this case, Okta

Answer 70

A

The end user requests a service from the SP. The SP requests and obtains an identity assertion from Okta as the IdP. Based on this assertion, the SP can decide to authorize or authenticate the service for the end user.

Answer 71

A

Accounts for new users
deprovisioning accounts for deactivated users
synchronizing user attributes across multiple directories
Exclude Username Updates
Sync Okta Password
Profile Master (flags the app as the source of truth for user attribute info on users pulled in from the app.

Answer 72

A

When the first and last name of an imported user match that of an existing Okta user, but the user’s username or/and email address do not.

Answer 73

A

Directory > Directory Integration > Active Directory > Settings > Import and Provisioning > Schedule Import

Answer 74

A

Profile Editor

Answer 75

A

Application Integration Wizard (AIW)

Answer 76

A

SWA, SAML 2.0, and OIDC

Answer 77

A

When the app falls outside the authentications that the AIW supports (SWA, SAML 2.0, OIDC). For ex. If you have an app that supports WS-Fed and is not in the OIN then you could setup a Template Application for WS-Fed

Answer 78

A

AIW. Because some of the templates are being deprecated and no longer being updated, you should use the AIW if possible because it supports additional features and is continually updated.

Answer 79

A

Manually - you copy both the Identity Provider Issuer URL into the new Single Sign on Setting Page and then upload the IdP certificate that you downloaded from Okta.

Dynamically - You do so via metadata file that Okta provides. After enabling SAML in SFDC, create a new Single Sign-On setting by uploading the metadata file.

Answer 80

A

Top down based on XACML principles where the first applicable rule is executed and subsequent policies are ignored.

Answer 81

A

Password: Define password policies and associated rules to enforce password settings at the group and authentication-provider level.
Multifactor: Use the Multifactor Policies tab to create and enforce policies for your chosen MFA factors and the groups that are subject to them.
Okta Sign-On: Sign-on policies determine the types of authentication challenges users receive.
Application Sign-On: Define application-level access parameters.

Answer 82

A

Identify their network perimeter to Okta. Any IP address that is not included in the list is considered off network and subject to any off-network or out of zone security policies you might create.

Answer 83

A

Desktop SSO (Whitelisting)

- Out of zone (blacklisting) for MFA, application sign-on policies, or VPN notifications

Answer 84

A

Can be refined to groups
Are associated with authentication providers: Okta or directory
Can refine password settings (length, complexity, etc.)
Can enable account recovery self-service options

Okta enables you to define password policies as specific as you require. You can define policies based on groups and/or the authentication provider. For example, you might have an external Sales team that are all Okta-mastered users, while your internal Sales team is all Active Directory mastered accounts. In Okta, you can create similar or unique password policies for these groups.

Answer 85

A

Select Authentication provider (Okta vs. AD)
Select specific groups
Password requirements (length, complexity, age, lockout)
Recovery Options for for locked accounts
Works with delegated authentication
Rules

Answer 86

A

Email, SMS (Password reset/unlock), Voice (PW reset)

PW Reset is only SMS/Voice

Answer 87

A

Soft-based Token (ex. Okta Verify)
Phone: SMS and voice
3rd Party: Duo, Yubikey, etc.

Answer 88

A

Supports configuration of an RSA agent or a generic on-prem MFA agent using standard OATH protocol parameters.

This factor acts as a RADIUS client and communicates with a RADIUS enabled on-premise MFA server, including RSA Authentication manager for RSA SecurIDs. Through this factor, companies can use second factor challenges from a variety of on-premise multifactor authentication tools.

Answer 89

A

Must be assigned to a group(s)
Indicate which factors are eligible
Indicate which factors are required or optional
Add Rules to determine enrollment criteria of when and where
Are a good way to transition between MFA factors; such as a 3rd party provider to an Okta factor

Answer 90

A

Security > Multifactor > Factor Enrollment.

Okta Sign-on policies are setup to enforce when you are prompting for an second factor and this can be setup for a specific group or for everyone in your Okta org.
For example, if you want members of a particular group, or specific people, to always be prompted for MFA when off network, create a policy and define the rule. The Okta Sign-on Policy enforces when the end user will promoted for the additional factor.

This policy is written so that Everyone accessing Okta from anywhere can log in without a multifactor authentication option enabled.

Answer 91

A

Applications > Sign On > Add Rule

Answer 92

A

Application sign-on policies have similar parameters to Okta sign-on policies.
Once you assign a name you then need to specify:
• the people the policy applies to
• the network location information
• and the associated access.

Answer 93

A

Used to manage user profiles and their attribute mappings.

Profile Editor provides several capabilities:
• Store rich profiles of user attributes in Okta.
• Customize these profiles with custom attributes.
• Bi-directionally map and move attributes from Okta to applications.
• Transform attributes prior to storing/moving with a powerful expression language

These new capabilities enable you to do the following:
• Keep rich profile information in-sync across HR systems (such as Workday), on- premises directories, and applications.
• Provision application user accounts with richer profile information such as roles, managers, or location which is useful for making access and authorization decisions.
• Construct Okta or application usernames from rich attributes and custom expressions.
• Collect and store any type of user attribute, including employee-provided values.

Answer 94

A

True. For example, the Okta user profile has 31 base attributes, while Salesforce only has 9. Using UD, you create a Salesforce user profile that maps attributes from the Okta user profile to the 9 Salesforce user attributes. This combination of associating, or mapping, the attributes between Okta and Salesforce becomes the User Application Profile for the Salesforce application.

When mapping attributes from a directory service such as Active Directory to the Okta user attributes, you create the User Directory Profile for the Active Directory instance.

Answer 95

A

A Profile Master is an application or directory that acts as a source of truth for user profile attributes.
The priority determines which application or directory is considered the profile master for a user who is assigned to multiple profile master applications or directories.

Answer 96

A

True. You can, however, disable Delegated Authentication, and enable Active Directory Password Sync. This means that your users will have their delegated Okta password, but any subsequent password updates are pushed to Active Directory. With Active Directory disabled as the profile master, you can still provision new Active Directory accounts from Okta.

Answer 97

A

ALM provides more granular control over how profiles are mastered by letting you specify different profile masters for individual attributes.
For example, an Okta user may have most of their attributes, such as first name, last name, and department, mastered by an HR system such as Workday. With ALM, their phone number and email address attributes can be mastered by Active Directory. Additionally, the secondary email address or preferred display name could be mastered inside Okta, and managed by an Okta administrator or the end user.

Answer 98

A

Applications > Self Service > Settings.

Answer 99

A

Prevent or Restrict any application for self service

- See what apps are enabled for self-service

Answer 100

A

Who the approvers are
Notifications for approvals and denials
Timeframe for approver responses
Notifications on expired requests

Answer 101

A

Admin, End User, Approvers.

Administrators
• As part of the access request, the administrator defines who manages the access requests (Individual or groups of people can be configured to perform the approval role).
• With people defined as approvers, the admin then determines who is notified about approved and denied requests.
• Finally, the admin must also specify an access request duration and the notifications to occur when a request expires.

End Users
• After the admin configures the access request workflow, end users can submit app access requests.
• After requesting the app access, the end user must wait for a response from an approver.

Approvers
• When end users submit access requests, approvers are notified in an email of the impending request.
• Approvers can also see open requests in the Tasks section of their account through the Okta app.
• Depending on the app request, when approving access, the approver might also have to indicate the associated role for the user in the app (For example, Office 365 and Salesforce require additional configuration parameters when assigning new users).

Answer 102

A

2 reports - Current Assignments (who is assigned to an applications and Recent Unassignements (who was unassigned to an application)

Answer 103

A

User Account
Optional User Account Fields
Okta User Communication
Deprovisioning Workflow
Browser Plugin
Display Language
Sign-In Page
Sign-Out Page
Application Access Error Page

Answer 104

A

Yes, there are email templates that you can use the Expression Language to customize.

Answer 105

A

New Applications Assignments

- Custom notifications sent by an admin (admin creates and manages these notifications)

Answer 106

A

A summary of key Okta and application usage, activity, and notifications for any problems or outstanding work to be completed.

Answer 107

A

Usage: Includes usage and application statistics for your company. You can expand this section to view Apps with Most Sign-Ins and Users with Most Okta Sign-Ins.

Status: The notification inbox providing a list of tasks you must complete and past actions you have taken. This section includes search fields for your people and applications.

In the Status section, the active directory instances appear with high-level information.
• Red indicates there is a problem with the directory connection; it is probably not connected.
• Yellow will always appear if you do not have a failover directory instance configured. It also denotes intermittent connection issues.
• Green indicates everything is good with the connection.

Answer 108

A

Tasks are generated during import and provisioning events. For example, an application provisioning error appears in the task list because it requires administrator assistance to resolve.

Answer 109

A

For information about how people are accessing company data (app usage) and view access issues, you can use the reports within Okta.
To view administrative access and changes or directory service integration changes, you can access the system logs.
The Reports page displays report data that details how your end users are using their Okta accounts.
Data includes information such as application usage and access, deprovisioning details, and the exposure of suspicious activity.

Answer 110

A

The System Log panel displays a list of all events, such as successful user sign-ons, how many users have been activated, and MFA usage, and it logs the activity.
Clicking information within a chart drills down to particular information about that event.

Answer 111

A

Community Created means that the app was created by the Okta community, but has not yet been tested and verified by Okta.

Community Verified indicates that the app was created by the community and has shown some evidence of quality, such as active usage or multiple members of the community using it. However, Okta has not tested it and does not support it in anyway.

Answer 112

A

Okta Verified indicates that the app was created either from the OAN or by Okta community users, then tested and verified by Okta.

Answer 113

A

An acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority.

Answer 114

A

If O365 is already setup, select Applications > Microsoft O365 app > Sign On Tab > check WS-Federation Button

Answer 115

A

Allows end users to see the passwords of their apps.

An admin must enable password reveal for the particular app.
The end user must have permissions to manage the app’s password
End users cannot reveal the password of an app configured with shared credentials

If feature is enabled, end users can go to: Settings > App Name > Settings > See Password > Reveal password

Answer 116

A

Okta User Profile and App user Profile

Answer 117

A

By Phone (Prem Plus customers get a special number)

- Open a Case Link

Answer 118

A

OIDC is an authentication layer. OAuth 2.0 is an authorization framework.

Answer 119

A

Challenges:
- User Password Fatigue
- Failure-Prone Manual Provisioning/de-provisioning
- Compliance visibility
Siloed User Directories for Each Application
- Managing Access across browsers and devices
- Keeping App Integrations up to date
- Different administration models for different apps
- Sub-optimal Utilization, lack of insight into best practices

Answer 120

A

SWA and WS-Federation. You should use WS-Federation because it’s more secure

Answer 121

A

Inbound SAML allows users from external identity providers to SSO into Okta.

So in this case, Okta is a Service Provider, not Identity provider

Answer 122

A

When the user attempts to sign onto a SAML-enabled SP via its login page. Instead of promptin gthe user to enter a password, it will redirect user to Okta.

Ex. Going to Box will redirect to Okta but it was initiated from the Service provider side.

Answer 123

A

This is when the user logs into Okta or Okta Mobile and launches a chiclet.

Answer 124

A

Automatic app sign in
Automatically initiate an Okta Login
Automatically fills in credentials on sign-in pages
Automatically inserts passwords on “password update”pages
Monitors password updates
Admin Link (if youre an admin)
End users can switch between multiple accounts

Answer 125

A

Okta and AD-mastered users. If your group is AD-mastered, make sure your AD password policies dont conflict with the Okta policies

Answer 126

A

Yes, and you can specify the order in which they are executed.

Answer 127

A

Configure Profile Master and Lifecycle settings (if you want to make AD the source of truth for end users)
Configure Sync Password (syncs users’ AD pw with their Okta pw)

Answer 128

A

Agent-based provisioning (An agent installed to the local environment brokers the tranactions between Okta and on-prem)
API-base Provisioning (Okta app connector has been integrated to the App’s Provisioning API)
SAML JIT (Can create and update but not import or deprovision - most restricted strategy)

Answer 129

A

Go to the user’s page > click suspend on a user’s page.

Answer 130

A

They are used to authenticate requests to the Okta API. They are generated with the permissions of the user that created the token. They are also issued to Okta Agents during installation to access your Okta org.

They are valid for 30 days and automatically renew every time they are used with an API request.

Answer 131

A

Green - Token has been using within the last 3 days

Gray - Token has not been used in last 3 days and today is at least 7 days before its expiration date

Red - Token is within 7 days of expiring

Yellow - Token is suspicious (associated with an agent that is not registered in Okta)

Answer 132

A

Rate Limiting
Concurrent Rate Limits (agent, MSFT O365, and all other traffic including API requests)
Default Rate Limits
End-User Rate Limit (40 requests per user per 10 seconds per endpoint)

Answer 133

A

Okta system status

- Historical data

Answer 134

A

Delegated authentication allows you to sign in with your IdP credentials using the Okta interface.

The Service Provider (App or Okta) does not store the password. It performs password validation with the IdP
IdP is the source of the password that will be verified.

Enable it if you want Active Directory (AD) to authenticate your users when they sign into Okta.

Answer 135

A

No. SWA apps are SSO only

Answer 136

A

Password Sync syncs your password from your directory and then the Service Provider is able to verify on its own.

Delegated Authentication allows you to sign in with your directory credentials via Okta (or App).

Brainscape's Knowledge GenomeTM

Okta Flashcards

Brainscape's Knowledge Genome^TM