Okta Flashcards
What are mandatory components when creating your Okta Org?
People and Applications
What are optional components when creating your Okta Org
Groups and Directories
Can you change the account master for an account at any time after creation? For example, directory-mastered accounts can change to Okta-mastered when an external directory is decommissioned.
Yes
If users want to access applications from a mobile device, what app should they use?
Okta Mobile
On initial Okta authentication, what is required for non-SAML configured applications?
The Okta browser plugin. After the plugin is installed, users can access the applications as necessary.
What is an Agent?
A lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta’s cloud service.
What is the Application Integration Wizard (AIW)? And what kind of apps can you create with it?
If the application that you want to add does not already exist in the OIN, create it with the AIW. The AIW allows you to create custom SWA, SAML 2.0, and OIDC apps with immediate functionality.
What is Attribute level mastering (ALM)?
It’s an enhancement to the profile-mastering concept. ALM changes the profile-mastering model by allowing administrators to override the source that masters the entire Okta user profile.
What is an Identity Provider (IdP)?
It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.
What is OpenID Connect (OIDC)?
An authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled
by the OpenID Foundation.
What is a Profile Master?
A profile master is an application (usually a directory service such as Active Directory, or human capital
management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time.
What is Provisioning?
CRUD - The ability to automatically create, read, update and deactivate a user in an application
What does SP mean and how does it work with Okta?
An acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process.
What is SWA and what does it do?
An acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don’t support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully.
What is a Template App?
An app that can be used to create custom applications that are not in the OIN.
What are the traits of Okta-mastered Users?
- Created and Maintained in Okta
- Authenticate against the Okta policy
- Associated with Okta groups
- Provide an alternate login method separate from an external directory
- Governed by the Okta user profile
What are the traits of Directory-Mastered Users?
- Created and Maintained in the external directory
- Pulled into Okta
- Authenticate against the external directory
- Associated with directory or Okta groups
- Governed by the directory user profile
What are the traits of Application-Mastered users?
- Created and maintained in the application
- Pushed to Okta
- Authenticate against Okta or external directory
- Governed by the application user profile
What can an Okta-mastered Admin do around password and account management?
- Define authentication settings in Okta
- Manage account unlocks and resets through the Okta Administrator app
- Can mass reset passwords
What can an Okta-Mastered USER do around password and account management?
- Can modify account information and change passwords on the account settings page
- Can use the Forgot password link to reset password
What can a Directory-Mastered Admin do around password and account management?
- Define authentication settings in the directory service
* Manage all account changes through the directory service
What can/can’t a Directory-Mastered USER do around password and account management?
- UNABLE to modify account information on the account settings page
- Ability to change or reset passwords determined by administrator configuration
What does enabling the Active Directory Password Policy options in Okta do?
It enables users to reset or change Active Directory passwords through the Okta interface.
Alternatively, you can disable delegated authentication and enable Sync Password, which passes the Okta password to Active Directory. Regardless of how you enable directory-mastered accounts to change passwords, the password policies are governed by the directory service server.
What can a Super Admin do?
Has full access to perform all administrative tasks and permission sets in Okta
What CANT an Organization Admin do?
- Add, remove, and view administrators
- Add, delete, and edit scope, claim, and policy on an authorization server
- Edit default email settings for other admins
- Add users to a group assigned admin privileges
- Assign admin privileges to a group
- NO application actions (view, add, assign, etc.)
- No OMM Application actions
What can an Application Admin do?
- Can run reports and manage profile information
• Can view users and groups, but not modify either
• Can manage information on applications to which they are assigned access
What CAN a Group Admin do?
- All actions under User Management (View, activate, deactivate, edit profiles, password/MFA resets, create/delete users, clear user session)
- View groups
- Add Users to groups
- Remove users from groups
- Create/view user tokens
- View user social tokens
What can a Read-Only Admin do?
- Can view and run reports
• Can view users, groups, and applications, but cannot modify any settings
• Can view, but not modify organizational settings
What can a Help-Desk Admin do?
- Can View users
• Can reset password and MFA
• Can clear user session
How do you create an individual Okta-Mastered User?
Directory > People > Add Person
How do you import multiple Okta-Mastered Users?
People > More Actions > Import from CSV > Download CSV template
For Directory-Mastered users, where do you perform account changes (including status changes)?
In the directory service. For example, if an employee has left the company and their account is mastered in Active Directory, change the status in Active Directory. The Okta Active Directory agent pulls the status update from Active Directory and pushes it to Okta. Okta then deactivates the user account.
When an account has a Provisioned status, what must occur to change the status to Active? (2 options)
- An administrator can manually activate the account.
- With Just-in-time (JIT) provisioning enabled, the user authenticating to Okta for the first time changes the account to Active.
Only Okta-mastered users can be suspended. True or False?
True. If an account associated with an API token is suspended, the token cannot be used.
What happens if an account associated to a directory agent token is suspended?
If the account associated to a directory agent token is suspended, the agent stops working and users will not be able to authenticate.
Before an account can be deleted, it must first be deactivated. True or False?
True
You can deactivate an account through the Okta Admin app or API. T or F?
True
After an account is deleted, can administrators create a new Okta user with the same username as the deleted one?
Yes
Which Admin roles can delete a user?
Super Admin, Org Admin, and Group
Admin
The Okta system log retains past events that the deactivated user performed; How long does the log retain the activity?
The last 6 months
How many Active Directory agents does Okta recommend you setup for each domain?
2 or more
If you are setting up 2 Active Directory agents, will the setup be the same or different for both agents?
Same for both
Does installing multiple agents in close geographical proximity to your users enhance performance?
No
When you have multiple agents installed, how does the system know which agent to use?
The system will automatically select the appropriate agent based on user location.
What system requirements are needed for you to successfully install and configure the Okta Active Directory agent?
• Windows Server 2008 R2 or later • 256Mb RAM • Should be a domain member server • Always on The host server of the agent must also be a member of the same Windows domain as the Active Directory users.
What USER account requirements are needed for you to successfully install and configure the Okta Active Directory Agent?
- Active Directory administrator account
- Okta Super Administrator
- Okta Active Directory service account
During the AD server installation, you are asked if you want to let the installer create the Okta Active Directory service account. To do so, what are the permissions you must have for this?
- Must be a member of the domain admins group because you must be able to create a new Active Directory user in Active Directory that will act as the Active Directory agent service account.
• Must have local administrator privileges
Do you need to create an Okta mastered administrator account before you begin installing the Active Directory agent?
Yes. This user should have an Okta-specific password and not an Active Directory password.
How do you setup Active Directory with Okta?
Directory > Directory Integrations > Add Active Directory > Setup Active Directory > Download Agent
When importing users from AD, where can you specify the behaviors for exact, partial, and no matches on user accounts imported from AD?
Import Matching Rules
What is JIT Provisioning?
- Enables automatic user account creation in Okta the first time a user authenticates with one of the following methods:
- AD Delegated Authentication, Desktop SSO, Inbound SAML
- Will not create a new account for existing users or for accounts that have been confirmed but not activated. However, JIT will update an existing user’s profile at their next log in.
What provisioning features are enabled wiehn AD is the main user store?
- CRUD(eactivate)
- Profile master
- Sync password
On user creation, admins can also specify activation email recipients.
Admins can also specify different username and common name formats
If customers are transitioning away from AD to Okta as a user store, what features need to be enabled to make Okta the source of truth on user attributes?
“Update user attributes” and “deactivate users”
What is Desktop SSO?
When a user authenticates to the network via desktop and then opens a browser to access Okta, Okta detects the IP address and automatically authenticates the user into Okta and applications
What is Okta IWA?
Microsoft Integrated Windows Authentication. A lightweight Internet Information Services (IIS) web app that enables Desktop SSO on the Okta Service.
What are the server requirements to integrate an LDAP directory?
• Windows-based agent:
o Windows Server 2008 R2 or
newer
o Windows server must beable to reach the LDAP host and port.
• Linux-based agent must be installed on an RPM-enabled Linux distribution such as CentOS or Red Hat. We also support DPKG enabled Linux distributions such as Debian or Ubuntu.
What are the Vendor Template requirements to integrate LDAP?
OpenDJ OpenLDAP OracleInternetDirectory IBM SunOneLDAP5.2+,6.*,and7.* ActiveDirectoryLightweightDirectory Services (AD LDS)
What are the required USER accounts to integrate LDAP Agent?
- A designated Okta administrator service account
- Local LDAP service account
- A designated LDAP user
What are the 3 types of groups you can create?
Okta groups, directory groups, application groups
What are the traits of an Okta group?
- Okta groups are created and membership is managed in Okta.
* The members of Okta groups can be Okta, directory, or application-mastered users.
What are the traits of Directory Groups?
- Directory groups are created and membership is managed in the external directory service.
- Only directory-mastered users can be members of directory groups; this is established in the external directory service.
- Directory groups are copied into Okta.
- If the external directory instance is deactivated or deleted, the associated groups NO LONGER APPEAR in Okta.
What are the traits of Application Groups?
- Application groups are created and membership is managed in the application.
- Members of application groups are pulled into Okta during application creation.
- Application groups are copied into Okta.
- If the application connector is deactivated or deleted, the group NO LONGER APPEARS in Okta.
How do you create a group in Okta?
Directory > Groups > Add Group
How are the different groups identified in Okta?
Icons - Okta icon, AD Icon, and application icon
How do you delete directory or application groups?
You must delete the group on the directory service or application and then perform a FULL Import
Only Okta groups can be deleted within Okta. T or F?
True
Can you have duplicate group names from different directories?
Yes
Can you have duplicate group names from the same directory?
No
Can Group Rules be configured based on any user attribute or group membership?
Yes
How does SWA store user credentials?
An encrypted format using AES encryption combined with a customer-specific private key
When configuring SWA, what are your sign-in options?
- User sets username and password
- Admin sets username, user sets password
- Admin sets username, password is the same as user’s Okta password
- Admin sets a single username and password
Do the contents of the General Settings tab vary for each application?
Yes. For ex. GSuite requires tokens and you specify which links to display on the user application page (gmail, drive, calendar, etc.)
All applications have a default sign on policy granting all assigned users access from any location. T or F.
True. You can create rules to define criteria consisting of:
- Conditions: who and where
- Actions: what and how
If you require specific application access policies, where do you go to define the criteria?
Applications > Choose App > Sign On Tab > Sign On Policy Section > Add Rule
What are the “Condition” options when specifying application access policies?
- People: specify the who of the policy
- Location: specify the where of the policy; anywhere or network specific
What are the “Actions” options when specifying application access policies?
- Access: specify the what type of access: allowed or network specific
- MFA: specify if the additional access through multifactor is required
Does the Okta Browser Plugin support multiple accounts?
Yes. This is useful for admins with multiple accounts or users with access to multiple Okta orgs.
What are the 3 roles in SAML?
- User: End-user trying to authenticate the service
- Service Provider (SP): the app or website the user is trying to access
- Identity Provider (IdP): the entity that actually authenticates the user; in this case, Okta
What’s a SP-initiated SAML Runtime flow?
The end user requests a service from the SP. The SP requests and obtains an identity assertion from Okta as the IdP. Based on this assertion, the SP can decide to authorize or authenticate the service for the end user.
What features does Provisioning include?
- Accounts for new users
- deprovisioning accounts for deactivated users
- synchronizing user attributes across multiple directories
- Exclude Username Updates
- Sync Okta Password
- Profile Master (flags the app as the source of truth for user attribute info on users pulled in from the app.
Can Okta import users and groups from an app like Workday through its standard API?
Yes.
All Provisioning-enabled apps allow for the automatic import and confirmation of users into Okta. T or F?
True
When does partial matching (when importing a user into Okta) occur?
When the first and last name of an imported user match that of an existing Okta user, but the user’s username or/and email address do not.
Where do you define the schedules for user imports?
Directory > Directory Integration > Active Directory > Settings > Import and Provisioning > Schedule Import
How can you configure how the user attributes from an application correspond to a user record in Okta?
Profile Editor
If an application does not exist in the OIN, how do you add it?
Application Integration Wizard (AIW)
What types of authentication does AIW support when configuring applications?
SWA, SAML 2.0, and OIDC
When would you use a Templates Application?
When the app falls outside the authentications that the AIW supports (SWA, SAML 2.0, OIDC). For ex. If you have an app that supports WS-Fed and is not in the OIN then you could setup a Template Application for WS-Fed
As a best practice, should you use AIW or templates when adding new apps to the OIN?
AIW. Because some of the templates are being deprecated and no longer being updated, you should use the AIW if possible because it supports additional features and is continually updated.
What’s the difference between configuring SAML 2.0 manually and dynamically?
Manually - you copy both the Identity Provider Issuer URL into the new Single Sign on Setting Page and then upload the IdP certificate that you downloaded from Okta.
Dynamically - You do so via metadata file that Okta provides. After enabling SAML in SFDC, create a new Single Sign-On setting by uploading the metadata file.
How are Okta Policies enforced?
Top down based on XACML principles where the first applicable rule is executed and subsequent policies are ignored.
What are the Okta Policy Types?
- Password: Define password policies and associated rules to enforce password settings at the group and authentication-provider level.
- Multifactor: Use the Multifactor Policies tab to create and enforce policies for your chosen MFA factors and the groups that are subject to them.
- Okta Sign-On: Sign-on policies determine the types of authentication challenges users receive.
- Application Sign-On: Define application-level access parameters.
What does the Network page allow Admins to do?
Identify their network perimeter to Okta. Any IP address that is not included in the list is considered off network and subject to any off-network or out of zone security policies you might create.
On the Network Page, what can you add IP addresses for?
- Desktop SSO (Whitelisting)
- Out of zone (blacklisting) for MFA, application sign-on policies, or VPN notifications
How detailed can you define password policies within Okta?
- Can be refined to groups
- Are associated with authentication providers: Okta or directory
- Can refine password settings (length, complexity, etc.)
- Can enable account recovery self-service options
Okta enables you to define password policies as specific as you require. You can define policies based on groups and/or the authentication provider. For example, you might have an external Sales team that are all Okta-mastered users, while your internal Sales team is all Active Directory mastered accounts. In Okta, you can create similar or unique password policies for these groups.
What can you define when creating/updating Password Policies?
- Select Authentication provider (Okta vs. AD)
- Select specific groups
- Password requirements (length, complexity, age, lockout)
- Recovery Options for for locked accounts
- Works with delegated authentication
- Rules
What services are available for account recovery?
Email, SMS (Password reset/unlock), Voice (PW reset)
PW Reset is only SMS/Voice
What are the factor types you can use for MFA?
- Soft-based Token (ex. Okta Verify)
- Phone: SMS and voice
- 3rd Party: Duo, Yubikey, etc.
How does On-Premise MFA work?
Supports configuration of an RSA agent or a generic on-prem MFA agent using standard OATH protocol parameters.
This factor acts as a RADIUS client and communicates with a RADIUS enabled on-premise MFA server, including RSA Authentication manager for RSA SecurIDs. Through this factor, companies can use second factor challenges from a variety of on-premise multifactor authentication tools.
How are Enrollment Policies Created/configured?
- Must be assigned to a group(s)
- Indicate which factors are eligible
- Indicate which factors are required or optional
- Add Rules to determine enrollment criteria of when and where
- Are a good way to transition between MFA factors; such as a 3rd party provider to an Okta factor
How are MFA Enforcement Policies setup?
Security > Multifactor > Factor Enrollment.
Okta Sign-on policies are setup to enforce when you are prompting for an second factor and this can be setup for a specific group or for everyone in your Okta org.
For example, if you want members of a particular group, or specific people, to always be prompted for MFA when off network, create a policy and define the rule. The Okta Sign-on Policy enforces when the end user will promoted for the additional factor.
This policy is written so that Everyone accessing Okta from anywhere can log in without a multifactor authentication option enabled.
Where do you create Application Sign-On Policies?
Applications > Sign On > Add Rule
What are the parameters (Rules) for an Application Sign-on Policy?
Application sign-on policies have similar parameters to Okta sign-on policies.
Once you assign a name you then need to specify:
• the people the policy applies to
• the network location information
• and the associated access.
What does Profile Editor allow you to do?
Used to manage user profiles and their attribute mappings.
Profile Editor provides several capabilities:
• Store rich profiles of user attributes in Okta.
• Customize these profiles with custom attributes.
• Bi-directionally map and move attributes from Okta to applications.
• Transform attributes prior to storing/moving with a powerful expression language
These new capabilities enable you to do the following:
• Keep rich profile information in-sync across HR systems (such as Workday), on- premises directories, and applications.
• Provision application user accounts with richer profile information such as roles, managers, or location which is useful for making access and authorization decisions.
• Construct Okta or application usernames from rich attributes and custom expressions.
• Collect and store any type of user attribute, including employee-provided values.
The Okta user profile has default attributes, which you use to create application and directory- specific profiles. T or F?
True. For example, the Okta user profile has 31 base attributes, while Salesforce only has 9. Using UD, you create a Salesforce user profile that maps attributes from the Okta user profile to the 9 Salesforce user attributes. This combination of associating, or mapping, the attributes between Okta and Salesforce becomes the User Application Profile for the Salesforce application.
When mapping attributes from a directory service such as Active Directory to the Okta user attributes, you create the User Directory Profile for the Active Directory instance.
What is a Profile Master?
- A Profile Master is an application or directory that acts as a source of truth for user profile attributes.
- The priority determines which application or directory is considered the profile master for a user who is assigned to multiple profile master applications or directories.
When disabling Active Directory as the profile master, you cannot reset an Active Directory password in Okta, because the credentials are still being managed by Active Directory. T or F?
True. You can, however, disable Delegated Authentication, and enable Active Directory Password Sync. This means that your users will have their delegated Okta password, but any subsequent password updates are pushed to Active Directory. With Active Directory disabled as the profile master, you can still provision new Active Directory accounts from Okta.
What is Attribute-Level Mastering (ALM)?
ALM provides more granular control over how profiles are mastered by letting you specify different profile masters for individual attributes.
For example, an Okta user may have most of their attributes, such as first name, last name, and department, mastered by an HR system such as Workday. With ALM, their phone number and email address attributes can be mastered by Active Directory. Additionally, the secondary email address or preferred display name could be mastered inside Okta, and managed by an Okta administrator or the end user.
Where do you enable applications for self-service?
Applications > Self Service > Settings.
What can you do as an Admin regarding self-service apps?
- Prevent or Restrict any application for self service
- See what apps are enabled for self-service
What criteria are needed to determine an access approval workflow for an application?
- Who the approvers are
- Notifications for approvals and denials
- Timeframe for approver responses
- Notifications on expired requests
Who is involved in access request workflows?
Admin, End User, Approvers.
Administrators
• As part of the access request, the administrator defines who manages the access requests (Individual or groups of people can be configured to perform the approval role).
• With people defined as approvers, the admin then determines who is notified about approved and denied requests.
• Finally, the admin must also specify an access request duration and the notifications to occur when a request expires.
End Users
• After the admin configures the access request workflow, end users can submit app access requests.
• After requesting the app access, the end user must wait for a response from an approver.
Approvers
• When end users submit access requests, approvers are notified in an email of the impending request.
• Approvers can also see open requests in the Tasks section of their account through the Okta app.
• Depending on the app request, when approving access, the approver might also have to indicate the associated role for the user in the app (For example, Office 365 and Salesforce require additional configuration parameters when assigning new users).
How are application-specific reports generated?
2 reports - Current Assignments (who is assigned to an applications and Recent Unassignements (who was unassigned to an application)
What can you customize within Okta?
- User Account
- Optional User Account Fields
- Okta User Communication
- Deprovisioning Workflow
- Browser Plugin
- Display Language
- Sign-In Page
- Sign-Out Page
- Application Access Error Page
Can you customized messages/emails generated by Okta?
Yes, there are email templates that you can use the Expression Language to customize.
What End User notifications can you customize?
- New Applications Assignments
- Custom notifications sent by an admin (admin creates and manages these notifications)
What does the Okta Administration Dashboard page provide you with?
A summary of key Okta and application usage, activity, and notifications for any problems or outstanding work to be completed.
What does the Status and Usage section in the Okta Admin Dashboard show?
Usage: Includes usage and application statistics for your company. You can expand this section to view Apps with Most Sign-Ins and Users with Most Okta Sign-Ins.
Status: The notification inbox providing a list of tasks you must complete and past actions you have taken. This section includes search fields for your people and applications.
In the Status section, the active directory instances appear with high-level information.
• Red indicates there is a problem with the directory connection; it is probably not connected.
• Yellow will always appear if you do not have a failover directory instance configured. It also denotes intermittent connection issues.
• Green indicates everything is good with the connection.
What are Tasks?
Tasks are generated during import and provisioning events. For example, an application provisioning error appears in the task list because it requires administrator assistance to resolve.
What kind of Reports can you view within Okta?
- For information about how people are accessing company data (app usage) and view access issues, you can use the reports within Okta.
- To view administrative access and changes or directory service integration changes, you can access the system logs.
- The Reports page displays report data that details how your end users are using their Okta accounts.
- Data includes information such as application usage and access, deprovisioning details, and the exposure of suspicious activity.
What does the System Log Panel display?
- The System Log panel displays a list of all events, such as successful user sign-ons, how many users have been activated, and MFA usage, and it logs the activity.
- Clicking information within a chart drills down to particular information about that event.
You can access the system log on the Reports page in Okta. Can you also access the system log with the Okta API?
Yes
What does Community Create and Community Verified mean?
Community Created means that the app was created by the Okta community, but has not yet been tested and verified by Okta.
Community Verified indicates that the app was created by the community and has shown some evidence of quality, such as active usage or multiple members of the community using it. However, Okta has not tested it and does not support it in anyway.
What does Okta Verified mean?
Okta Verified indicates that the app was created either from the OAN or by Okta community users, then tested and verified by Okta.
What is an OU?
An acronym of Organizational Unit. Organizational units are Active Directory containers into which you can place users, groups, computers, and other organizational units. It is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority.
How do you setup WS-Federation?
If O365 is already setup, select Applications > Microsoft O365 app > Sign On Tab > check WS-Federation Button
What does the Password Reveal feature do?
Allows end users to see the passwords of their apps.
- An admin must enable password reveal for the particular app.
- The end user must have permissions to manage the app’s password
- End users cannot reveal the password of an app configured with shared credentials
If feature is enabled, end users can go to: Settings > App Name > Settings > See Password > Reveal password
What types of profiles does Universal Directory Support?
Okta User Profile and App user Profile
What are the ways to open a support case?
- By Phone (Prem Plus customers get a special number)
- Open a Case Link
What is the difference between OIDC and OAuth 2.0?
OIDC is an authentication layer. OAuth 2.0 is an authorization framework.
Explain the challenges to SaaS and the advantages over on-prem solutions.
Challenges:
- User Password Fatigue
- Failure-Prone Manual Provisioning/de-provisioning
- Compliance visibility
Siloed User Directories for Each Application
- Managing Access across browsers and devices
- Keeping App Integrations up to date
- Different administration models for different apps
- Sub-optimal Utilization, lack of insight into best practices
Which two sign-on methods are available for O365 and which should you use?
SWA and WS-Federation. You should use WS-Federation because it’s more secure
What is Inbound SAML?
Inbound SAML allows users from external identity providers to SSO into Okta.
So in this case, Okta is a Service Provider, not Identity provider
What is an SP-Initiated Flow?
When the user attempts to sign onto a SAML-enabled SP via its login page. Instead of promptin gthe user to enter a password, it will redirect user to Okta.
Ex. Going to Box will redirect to Okta but it was initiated from the Service provider side.
What is an IdP-initated flow?
This is when the user logs into Okta or Okta Mobile and launches a chiclet.
What does the Okta Browser Plugin allow you to do?
- Automatic app sign in
- Automatically initiate an Okta Login
- Automatically fills in credentials on sign-in pages
- Automatically inserts passwords on “password update”pages
- Monitors password updates
- Admin Link (if youre an admin)
- End users can switch between multiple accounts
Group Password Policies are enforced only for what type of users?
Okta and AD-mastered users. If your group is AD-mastered, make sure your AD password policies dont conflict with the Okta policies
Can sign on Policies contain multiple rules?
Yes, and you can specify the order in which they are executed.
What are optional tasks when configuring AD?
- Configure Profile Master and Lifecycle settings (if you want to make AD the source of truth for end users)
- Configure Sync Password (syncs users’ AD pw with their Okta pw)
What are the 3 main strategies used to perform provisioning?
- Agent-based provisioning (An agent installed to the local environment brokers the tranactions between Okta and on-prem)
- API-base Provisioning (Okta app connector has been integrated to the App’s Provisioning API)
- SAML JIT (Can create and update but not import or deprovision - most restricted strategy)
How do you suspend, unsuspend, and verify the status of a user?
Go to the user’s page > click suspend on a user’s page.
Why are API tokens used with Okta?
They are used to authenticate requests to the Okta API. They are generated with the permissions of the user that created the token. They are also issued to Okta Agents during installation to access your Okta org.
They are valid for 30 days and automatically renew every time they are used with an API request.
Explain the API token statuses (green, gray, red, Yellow).
Green - Token has been using within the last 3 days
Gray - Token has not been used in last 3 days and today is at least 7 days before its expiration date
Red - Token is within 7 days of expiring
Yellow - Token is suspicious (associated with an agent that is not registered in Okta)
How does Okta protect service from load spikes/interruptions caused by submitted requests?
- Rate Limiting
- Concurrent Rate Limits (agent, MSFT O365, and all other traffic including API requests)
- Default Rate Limits
- End-User Rate Limit (40 requests per user per 10 seconds per endpoint)
What information can you get from trust.okta.com?
- Okta system status
- Historical data
What is delegated authentication?
Delegated authentication allows you to sign in with your IdP credentials using the Okta interface.
- The Service Provider (App or Okta) does not store the password. It performs password validation with the IdP
- IdP is the source of the password that will be verified.
Enable it if you want Active Directory (AD) to authenticate your users when they sign into Okta.
Is Lifecycle Management possible with SWA apps?
No. SWA apps are SSO only
What’s the difference between Password Sync and Delegated Authentication?
Password Sync syncs your password from your directory and then the Service Provider is able to verify on its own.
Delegated Authentication allows you to sign in with your directory credentials via Okta (or App).
