Okta Professional Cert Study Flashcards
What are the 3 types of users in Okta?
Okta-Sourced (Mastered), Directory-Sourced (Mastered), App-Sourced
What is SAML?
Security Assertion Markup Language - standard protocol used to facilitate SSO. Can be used across multiple systems/domains by establishing a trusted relationship using digital certificates/signatures.
What is LDAP?
Lightweight Directory Access Protocol - Directory source for users.
What is AD?
Active Directory - MS Directory that is LDAP compliant can connect any app that uses LDAP.
What is DSSO?
Desktop Single Sign On - Okta solution to allow users to log into AD connected computer and extend SSO to Okta configured Apps, reduce logins to Company and Cloud based apps.
What is IWA?
Integrated Windows Authentication - AD version of DSSO, allows single login to company and some cloud apps
What is in Workforce Identity Cloud?
SSO, MFA, Universal Directory, LCM, API Access Management, Advanced Server Access, Access Gateway
What is in Customer Identity Cloud?
Auth0, Authenticating User management, MFA, LCM, B2B Int, Access Gateway
What are the methods of App integration?
SAML, SWA, OIDC and SCIM
What are the first two steps to create an app integration?
- Create Integration, 2. Add users or groups
What are the two sign-in flows for SAML?
- SP-Initiated flow - user attempts sign in, redirected to IdP, then prompt login to IdP or desktop SSO.
- IdP initiated flow - user logs into IdP, launches SP by clicking chicklet, if no SP account, SAML can JIT.
What needs to be provided to the SP to do SSO?
- IdP SSO URL
- IdP Issuer Entity ID
- The X.509 Cert
Describe the Okta Browser Plug-in.
Enables auto login to apps that would manually require credentials. SWA uses browser plug-in.
What is Universal Directory?
Manage Okta app and user profiles, 31 base attributes. Only you can modify or remove are First Name + Last Name. Default user name = email address
What is SCIM provisioning?
System for Cross-domain Identity Management, used to perform provisioning actions between Okta + Cloud-based or On-prem apps.
What are the advantages to using Okta for provisioning?
- Account management
- Importing users (AD, LDAP, or certain apps)
- Configuring rules + Workflows
- Reports
When do you use SAML for integration? and describe the authentication method.
When app supports SAML, like Salesforce, RingCentral, Box and ServiceNow. Between IdP and SP. SP is not authenticating, rather trusting the cert from the IdP. no user name or password exchanged, only encrypted token.
When do you use WS-FED for app integration?
When MS Mastered? - check this
When do you use OIDC for integration?
When you want to use social networking to authenticate or a third party app
When do you use SWA for integration?
Okta Secure Web Auth, when app doesn’t support proprietary federation or SAML. like Facebook, or Southwest Airlines. Requires Okta browser plug-in. Forms based integrations
What are the 4 major use cases for Workflows?
- Comprehensive provisioning for an app.
- Complex “joiner, mover, leaver” flows
- Resolve identity conflict and other data issues
- Logging and Alerting on key lifecycle events
What does a “Staged” user status mean?
The user account has been created, but the activation process has not been initiated. Account is in a dormant stage.
What does “Pending user action” user status mean?
The user account has been added and the activation has been initiated, but the user has not yet set a password.
What does “Active” user status mean?
The user account is active and the person can access all assigned applications.
What does “Deactivated” user status mean?
The user account is inactive and the admin can’t assign any applications to the user.
What does “Password Reset” user status mean?
The user is allowed to resolve forgotten password issue by resetting the password without relying on the service desk.
What does “Password Expired” user status mean?
The account password has expired and needs to be changed.
What does “Locked out” user status mean?
The account has been locked due to a consecutive number of incorrect passwords used.
What does “Suspended” user status mean?
The user cannot log in due to an action taken by the administrator.
What does a Super Administrator have the ability to do?
- Has full access to perform all admin tasks and permission sets in Okta
- Only role that can assign admin priveleges.
What does the Organization Administrator have the ability to do?
- Can perform most or-wide settings.
- Can perform all management tasks for users and groups.
- Cannot perform any application management tasks.
What does the Application Administrator have the ability to do?
- Can manage profile information
- Can view users and groups, but not modify either.
- Can manage information on applications to which they are assigned access.
What does the Group Administrator have the ability to do?
- Can create users, deactivate users, reset passwords.
- Can also restrict these tasks to select group or groups of Okta users.
- Cannot perform group creation and any application management tasks.
What does the Read Only Administrator have the ability to do?
- Can view and run reports
- Can view users, groups, and applications, but cannot modify any settings.
- Can view, but not modify organizational settings.
What does the Help Desk Administrator have the ability to do?
- Can view users
- Can reset password and MFA
- Can clear user session
- Can unlock users
What are the AD Integration System requirements?
Window Server 2012 R2 or later Physical or virtual server At least 2 CPU's and a minimum of 8 GB RAM Should be a domain member server .NET 4.5.2+ Always on
What user accounts are required for AD Integration?
- AD admin account
- AD service account for Okta
- Okta Super Admin account
What are the AD sizing best practices for 0-30K users?
2 Okta AD Agents (per AD)
What are the AD sizing best practices for 30K - 100K users?
3 Okta AD Agents (per AD)
What are the AD sizing best practices for 100K+ users?
Work with Okta professional services
What are the LDAP Agent Installation Server System Requirements?
Windows based agent:
- Windows Server 2008 R2+
- Windows server must be able to reach the LDAP host
Linux based agent:
- RPM-enabled distribution: CentOS, Red Hat
- DPKG-enabled distribution: Debian, Ubuntu
What are the three types of Groups in Okta?
- Okta Groups = only Okta, directory and application sourced users.
- Directory Groups = created and managed by external directory. only directory-sourced users can be members of Directory Groups. If external directory is deactivated or deleted, associated groups are no longer in Okta.
- Application Groups = groups created and managed in an app. pulled into Okta during app creation. if app connector is deactivated or deleted, group no longer appears in Okta
What are the filters available in OIN?
- SAML
- OpenID Connect
- WS-Federation
- Secure Web Authentication
- Provisioning
- Workflows Compatible
What information can you view on Trust.okta.com
- System Status: Operational, etc
- 12 month availability percentage
- Security and Compliance information
What can you view on Support.okta.com
- system status
- Release notes
- support knowledgebase articles
- Community portal
- Case Studies
- Support
Are API tokens listed as suspicious until they are used once?
yes
Do API tokens use a reversible encryption?
no, tokens are stored with an irreversible hash
Is an API token visible only during creation?
yes, once you dismiss the window displaying the token, you cannot view it again
What MFA options provide strong and effective resistance against MITM attacks?
U2F
How can an admin assign an application to a user?
Group or Individual assignment
Is this a required step to integrate Okta with LDAP?
- Install and configure the Okta LDAP Agent
Yes, this option is correct because the Okta LDAP agent is require to allow secure communication with Okta
Is this a required step to integrate Okta with LDAP?
- Create a new LDAP directory
NO, Okta does NOT require a separate LDAP directory to store users.
If a user cannot recall their password for a SWA app, what feature can they use to retrieve it?
“Reveal Password” - not password reset, this isn’t an option, nor is forgotten password
Are you able to filter for “Supported Operating System” on the OIN?
NO, integration properties (SAML,etc) and name
What are two security authentication factors that generate a 6 digit code soft token for Okta?
Google Authenticator, Okta Verify
What is the first step to troubleshoot the Okta Browser plug-in?
Verity if it is enabled on the client’s browser.
What are the importing methods for creating groups in Okta?
Groups must be created from the Okta admin application or imported from a directory or applicatino
How does an Okta admin assign users to applications based on user profile attributes?
Group Rules
What Okta product allows an Admin to create a custom authorization server?
API Access Management
How long are API tokens valid?
30 days and automatically renew every time they are used with an API request. When a token has been inactive for more than 30 days it is revoked and cannot be used again.
What does green API token status mean?
Token has been used within the last three days
What does Gray API token status mean?
Token has not been used in the last three days, and today is at least 7 days before it’s expiration date.
What does Red API token status mean?
Token is within 7 days of expiring
What does Yellow token status mean?
Token is suspicious.
Why is an API token considered suspicious?
A suspicious token is associated with an agent that is not registered in Okta. To investigate, click on token name and review the provisioning for the associated agent.
