Okta Professional Cert Study

Question 1

What are the 3 types of users in Okta?

Answer 1

Okta-Sourced (Mastered), Directory-Sourced (Mastered), App-Sourced

Question 2

What is SAML?

Answer 2

Security Assertion Markup Language - standard protocol used to facilitate SSO. Can be used across multiple systems/domains by establishing a trusted relationship using digital certificates/signatures.

Question 3

What is LDAP?

Answer 3

Lightweight Directory Access Protocol - Directory source for users.

Question 4

What is AD?

Answer 4

Active Directory - MS Directory that is LDAP compliant can connect any app that uses LDAP.

Question 5

What is DSSO?

Answer 5

Desktop Single Sign On - Okta solution to allow users to log into AD connected computer and extend SSO to Okta configured Apps, reduce logins to Company and Cloud based apps.

Question 6

What is IWA?

Answer 6

Integrated Windows Authentication - AD version of DSSO, allows single login to company and some cloud apps

Question 7

What is in Workforce Identity Cloud?

Answer 7

SSO, MFA, Universal Directory, LCM, API Access Management, Advanced Server Access, Access Gateway

Question 8

What is in Customer Identity Cloud?

Answer 8

Auth0, Authenticating User management, MFA, LCM, B2B Int, Access Gateway

Question 9

What are the methods of App integration?

Answer 9

SAML, SWA, OIDC and SCIM

Question 10

What are the first two steps to create an app integration?

Answer 10

1. Create Integration, 2. Add users or groups

Question 11

What are the two sign-in flows for SAML?

Answer 11

1. SP-Initiated flow - user attempts sign in, redirected to IdP, then prompt login to IdP or desktop SSO.
2. IdP initiated flow - user logs into IdP, launches SP by clicking chicklet, if no SP account, SAML can JIT.

Question 12

What needs to be provided to the SP to do SSO?

Answer 12

1. IdP SSO URL
2. IdP Issuer Entity ID
3. The X.509 Cert

Question 13

Describe the Okta Browser Plug-in.

Answer 13

Enables auto login to apps that would manually require credentials. SWA uses browser plug-in.

Question 14

What is Universal Directory?

Answer 14

Manage Okta app and user profiles, 31 base attributes. Only you can modify or remove are First Name + Last Name. Default user name = email address

Question 15

What is SCIM provisioning?

Answer 15

System for Cross-domain Identity Management, used to perform provisioning actions between Okta + Cloud-based or On-prem apps.

Question 16

What are the advantages to using Okta for provisioning?

Answer 16

1. Account management
2. Importing users (AD, LDAP, or certain apps)
3. Configuring rules + Workflows
4. Reports

Question 17

When do you use SAML for integration? and describe the authentication method.

Answer 17

When app supports SAML, like Salesforce, RingCentral, Box and ServiceNow. Between IdP and SP. SP is not authenticating, rather trusting the cert from the IdP. no user name or password exchanged, only encrypted token.

Question 18

When do you use WS-FED for app integration?

Answer 18

When MS Mastered? - check this

Question 19

When do you use OIDC for integration?

Answer 19

When you want to use social networking to authenticate or a third party app

Question 20

When do you use SWA for integration?

Answer 20

Okta Secure Web Auth, when app doesn’t support proprietary federation or SAML. like Facebook, or Southwest Airlines. Requires Okta browser plug-in. Forms based integrations

Question 21

What are the 4 major use cases for Workflows?

Answer 21

1. Comprehensive provisioning for an app.
2. Complex “joiner, mover, leaver” flows
3. Resolve identity conflict and other data issues
4. Logging and Alerting on key lifecycle events

Question 22

What does a “Staged” user status mean?

Answer 22

The user account has been created, but the activation process has not been initiated. Account is in a dormant stage.

Question 23

What does “Pending user action” user status mean?

Answer 23

The user account has been added and the activation has been initiated, but the user has not yet set a password.

Question 24

What does “Active” user status mean?

Answer 24

The user account is active and the person can access all assigned applications.

Question 25

What does “Deactivated” user status mean?

Answer 25

The user account is inactive and the admin can’t assign any applications to the user.

Question 26

What does “Password Reset” user status mean?

Answer 26

The user is allowed to resolve forgotten password issue by resetting the password without relying on the service desk.

Question 27

What does “Password Expired” user status mean?

Answer 27

The account password has expired and needs to be changed.

Question 28

What does “Locked out” user status mean?

Answer 28

The account has been locked due to a consecutive number of incorrect passwords used.

Question 29

What does “Suspended” user status mean?

Answer 29

The user cannot log in due to an action taken by the administrator.

Question 30

What does a Super Administrator have the ability to do?

Answer 30

1. Has full access to perform all admin tasks and permission sets in Okta
2. Only role that can assign admin priveleges.

Question 31

What does the Organization Administrator have the ability to do?

Answer 31

1. Can perform most or-wide settings.
2. Can perform all management tasks for users and groups.
3. Cannot perform any application management tasks.

Question 32

What does the Application Administrator have the ability to do?

Answer 32

1. Can manage profile information
2. Can view users and groups, but not modify either.
3. Can manage information on applications to which they are assigned access.

Question 33

What does the Group Administrator have the ability to do?

Answer 33

1. Can create users, deactivate users, reset passwords.
2. Can also restrict these tasks to select group or groups of Okta users.
3. Cannot perform group creation and any application management tasks.

Question 34

What does the Read Only Administrator have the ability to do?

Answer 34

1. Can view and run reports
2. Can view users, groups, and applications, but cannot modify any settings.
3. Can view, but not modify organizational settings.

Question 35

What does the Help Desk Administrator have the ability to do?

Answer 35

1. Can view users
2. Can reset password and MFA
3. Can clear user session
4. Can unlock users

Question 36

What are the AD Integration System requirements?

Answer 36

Window Server 2012 R2 or later
Physical or virtual server
At least 2 CPU's and a minimum of 8 GB RAM
Should be a domain member server
.NET 4.5.2+
Always on

Question 37

What user accounts are required for AD Integration?

Answer 37

1. AD admin account
2. AD service account for Okta
3. Okta Super Admin account

Question 38

What are the AD sizing best practices for 0-30K users?

Answer 38

2 Okta AD Agents (per AD)

Question 39

What are the AD sizing best practices for 30K - 100K users?

Answer 39

3 Okta AD Agents (per AD)

Question 40

What are the AD sizing best practices for 100K+ users?

Answer 40

Work with Okta professional services

Question 41

What are the LDAP Agent Installation Server System Requirements?

Answer 41

Windows based agent:
- Windows Server 2008 R2+
- Windows server must be able to reach the LDAP host
Linux based agent:
- RPM-enabled distribution: CentOS, Red Hat
- DPKG-enabled distribution: Debian, Ubuntu

Question 42

What are the three types of Groups in Okta?

Answer 42

1. Okta Groups = only Okta, directory and application sourced users.
2. Directory Groups = created and managed by external directory. only directory-sourced users can be members of Directory Groups. If external directory is deactivated or deleted, associated groups are no longer in Okta.
3. Application Groups = groups created and managed in an app. pulled into Okta during app creation. if app connector is deactivated or deleted, group no longer appears in Okta

Question 43

What are the filters available in OIN?

Answer 43

1. SAML
2. OpenID Connect
3. WS-Federation
4. Secure Web Authentication
5. Provisioning
6. Workflows Compatible

Question 44

What information can you view on Trust.okta.com

Answer 44

1. System Status: Operational, etc
2. 12 month availability percentage
3. Security and Compliance information

Question 45

What can you view on Support.okta.com

Answer 45

1. system status
2. Release notes
3. support knowledgebase articles
4. Community portal
5. Case Studies
6. Support

Question 46

Are API tokens listed as suspicious until they are used once?

Answer 46

yes

Question 47

Do API tokens use a reversible encryption?

Answer 47

no, tokens are stored with an irreversible hash

Question 48

Is an API token visible only during creation?

Answer 48

yes, once you dismiss the window displaying the token, you cannot view it again

Question 49

What MFA options provide strong and effective resistance against MITM attacks?

Answer 49

U2F

Question 50

How can an admin assign an application to a user?

Answer 50

Group or Individual assignment

Question 51

Is this a required step to integrate Okta with LDAP?

- Install and configure the Okta LDAP Agent

Answer 51

Yes, this option is correct because the Okta LDAP agent is require to allow secure communication with Okta

Question 52

Is this a required step to integrate Okta with LDAP?

- Create a new LDAP directory

Answer 52

NO, Okta does NOT require a separate LDAP directory to store users.

Question 53

If a user cannot recall their password for a SWA app, what feature can they use to retrieve it?

Answer 53

“Reveal Password” - not password reset, this isn’t an option, nor is forgotten password

Question 54

Are you able to filter for “Supported Operating System” on the OIN?

Answer 54

NO, integration properties (SAML,etc) and name

Question 55

What are two security authentication factors that generate a 6 digit code soft token for Okta?

Answer 55

Google Authenticator, Okta Verify

Question 56

What is the first step to troubleshoot the Okta Browser plug-in?

Answer 56

Verity if it is enabled on the client’s browser.

Question 57

What are the importing methods for creating groups in Okta?

Answer 57

Groups must be created from the Okta admin application or imported from a directory or applicatino

Question 58

How does an Okta admin assign users to applications based on user profile attributes?

Answer 58

Group Rules

Question 59

What Okta product allows an Admin to create a custom authorization server?

Answer 59

API Access Management

Question 60

How long are API tokens valid?

Answer 60

30 days and automatically renew every time they are used with an API request. When a token has been inactive for more than 30 days it is revoked and cannot be used again.

Question 61

What does green API token status mean?

Answer 61

Token has been used within the last three days

Question 62

What does Gray API token status mean?

Answer 62

Token has not been used in the last three days, and today is at least 7 days before it’s expiration date.

Question 63

What does Red API token status mean?

Answer 63

Token is within 7 days of expiring

Question 64

What does Yellow token status mean?

Answer 64

Token is suspicious.

Question 65

Why is an API token considered suspicious?

Answer 65

A suspicious token is associated with an agent that is not registered in Okta. To investigate, click on token name and review the provisioning for the associated agent.