Okta Professional Certification

Question 1

All eligible factor types are configured as optional in the Okta Enrollment Policy.

What is the expected outcome when end users are required to enroll?

Answer 1

A: End users are required to choose one of the approved factor types before continuing the enrollment process.

If all options are optional, but the policy is in place, the user must choose at least one approved factor in order to proceed.

Question 2

A company wants to automate the process of enabling employees to request access to SAML based applications. Once employees request access, application administrators need to review and accept or deny their request.

What is the Okta feature the company should use?

Answer 2

A: Application Request & Approval workflow.

This workflow enables users to request access to applications.

Question 3

What is the Application Integration Wizard used for?

Answer 3

A: It is used to create applications.

Question 4

What operation types does Okta support on an Okta sourced user?

Answer 4

A: Activate, Suspend, Delete.

Hide is not an option in Okta and adding the same app multiple times to a user is not supported.

Question 5

What are the lifecycle management operations in Okta for third-party applications?

Answer 5

A: Account creation, Update, Deactivate and Sync Password.

Account reset is not part of the lifecycle management operations.

Question 6

Who is the Okta Browser plugin management?

Answer 6

A: IT manages the plugin.

Question 7

Why would an end user NOT be authenticated when using MFA?

Answer 7

A: The end user made five unsuccesful attempts to authenticate using Google Authenticator.

Also, Okta supports Windows Hello for Microsoft Edge

Question 8

What is an example of a Service Provider (SP) initiated flow?

Answer 8

A: An end user logs in by navigating directly to an application.

Question 9

What options are available to an administrator when resetting the MFA for an end user?

Answer 9

A:

• Reset all factors for multiple users.
• Reset one or multiple factors for a single user

NOT available:

• Force end users to enroll in another factor type before reset
• Reset administration policies and restart all end users’ devices
• Create a new policy to un-assign end users form their factors is not an administrative action

Question 10

What is a true statement about default policies?

Answer 10

A: Default policies CANNOT be deleted.

NOT TRUE:
- The order of the default policies can be changed.
The default policy is always the last policy evaluated and only the outcome can be modified.
- An Okta Administrator can change the group assigned to the default policy.
The default policy applies to the Everyone group

Question 11

What are the profile types supported by Okta Universal Directory?

Answer 11

A: Application User Profile, Okta User Profile, Directory User Profile, Identity Provider User Profile.

Question 12

An Okta API token is set to expire after 30 days. What is a valid method of preventing the token from expiring?

Answer 12

A: Perform an action that requires the use of the API token. The expiration counter will reset once the API token is used.

Question 13

What are the benefits of using an Okta group?

Answer 13

A: Ability to contain end users from different identity sources.

Question 14

An Okta administrator wants to enable self-service password reset workflow for Okta sourced users. What actions are possible?

Answer 14

A:

• The administrator can customize the ‘Forgot Password’ email template. The ‘Forgot Password’ template is a configurable template under Emails and SMS.
• The administrator can restrict password reset workflow access to only users who are on-premise. The Password Policy rules have a configurable network parameter.

Question 15

What options are allowed as verification for self-service password reset?

Answer 15

A: Email, Voice and SMS

Question 16

What are NOT functionalities of the Okta Browser plugin?

Answer 16

A:
- Stores passwords on an end user’s local machine.
- Checks for common passwords in an Okta enabled Secure Web Authentication (SWA) application.
It can only check for common password use only for the primary authentication of the Okta user itself.
- Ensures sufficient password complexity.
It is ensured at Okta by setting Password policies , which do NOT have an effect on passwords passed or generated by the Okta browser plugin.
- Deprovision user accounts in applications

Question 17

What features are available with Okta MFA?

Answer 17

A:

• Ability to require that all users enroll in Okta verify.
• Ability to only allow IT administrators to enroll with RSA SecurID. Both enrollment and enforcement of factors is controlled at the group level.
• Ability to allow users to choose to enroll in one MFA from a list of configured factors.

Question 18

An Okta end user has a pending request for access to Box. Why would the end user might NOT be assigned to Box?

Answer 18

A:

• The approver for the workflow is deactivated and no one will receive the request and the user’s request is still pending.
• The only group containing the approver used in the approval process has been deleted. If the only one group containing the approver was deleted, then no one will receive the request and the user’s request is still pending.

Question 19

What information can an administrator find in the system log?

Answer 19

A: Suspicious activity.

Question 20

What are the application sign-on methods that Okta supports?

Answer 20

A:

• Secure Web Authentication (SWA)
• Security Assertion Markup Language (SAML 2.0)
• OpenID Connect

Question 21

What is the App Integration Wizard (AIW) used for?

Answer 21

A: Add applications that do NOT have prebuilt integrations.

Question 22

What are valid ways to activate an Okta user account?

Answer 22

A:

• Activate the Okta user account through the Okta Administrator Application
• Activate the Okta user account through the Users API call.

Question 23

What is a benefit of using SAML over SWA?

Answer 23

A: SAML authentication is more secure.

Question 24

What are the functions of the Okta browser plugin?

Answer 24

A:

• Automatically inserts passwords on ‘password update’ pages.
• Allows for automatic application sign-in
• Allows end users to initiate an Okta logon from the web page
• Automatically fills in credentials on sing-in pages

Question 25

What happens when an Active Directory integration is deactivated?

Answer 25

A: The AD users become Okta-sourced if not linked to another profile source.

Question 26

Which capability is available for ALL prebuilt Okta Integration Network (OIN) applications?

Answer 26

A: Group application assignment.

Question 27

What happens if all MFA factors are optional in an Enrollment Policy when end users enroll?

Answer 27

A: End users are required to choose a factor to enroll.

Question 28

What default permission does an Active Directory service account have at installation?

Answer 28

A: The ability to JIT provision users to Okta.

Question 29

What would be a recommended way for an Okta Administrator to open a case with Okta Support?

Answer 29

A: Call the toll-free number shown in the Okta Help Center.

Question 30

What is a standard technology that Okta uses for identity verification?

Answer 30

A: SAML.

Question 31

What is an example of an Identity as a Service (IDaaS) benefit provided by Okta?

Answer 31

A: Redundant architecture to ensure availability.

Question 31

What is an example of an Identity as a Service (IDaaS) benefit provided by Okta?

Answer 31

A: Redundant architecture to ensure availability.

Question 32

Which authentication method would allow a company to eliminatae application-specific passwords?

Answer 32

A: Web Services Federation (WS-Fed).

Question 33

What would be a best practice authentication method for application authentication?

Answer 33

A: SAML.

Question 34

Which factor types are available when configuring MFA for Okta-sourced users?

Answer 34

A:

• Okta Verify
• SMS Authentication
• Google Authenticator
• FIDO2 (WebAuthn)
• Symantec VIP
• On-Prem MFA
• RSA SecurID
• Email Authentication

Question 35

What would NOT be a supported feature of Universal Directory?

Answer 35

A:

- API Security

Question 36

What are the features of Universal Directory?

Answer 36

A:

• Schema Discovery
• Data transformation
• Attribute Level Sourcing

Question 37

What is a possible scenario for enabling Just-in-Time (JIT) Provisioning into Okta?

Answer 37

A: The Okta Active Directory (AD) Agent is installed and configured.

Question 38

Which strategy should be used to provision user accounts from Okta to an on-premises AD or LDAP directory?

Answer 38

A: Agent-based Provisioning.

Question 39

Which action CANNOT be performed through self-service by an end user withouut IT assistance?

Answer 39

A: Configure administrator access using the Okta user home page.

Question 40

How might Okta-sourced and directory-sourced users gain the same application access?

Answer 40

A: Create an Okta group and manually add each of the user.

Question 41

How can an end user reset their forgotten Okta password without calling their help desk?

Answer 41

A: SMS.

Question 42

Which action will allow users to access applications that do NOT support SAML?

Answer 42

A: Configure the applications for Secure Web Authentication (SWA).

Question 43

How could you differentiate the unique sign-on policies for Okta administrators from end users?

Answer 43

A: Group the administrators & create a sign-on policy for them.

Question 44

Which default base attribute can be marked as NOT required for Okta-sourced users?

Answer 44

A: Last Name.

Question 45

Which feature is available with Okta MFA?

Answer 45

A: Ability to require that all users enroll in Okta Verify.

Question 46

Which action allows an Okta administrator to enable self-service password reset for Okta users?

Answer 46

A: Administrators can limit password reset capability by zone.

Question 47

Which Okta feature would allow end users to grant application access to other users by request?

Answer 47

A: Application Request & Approval workflow.

Question 48

What is a valid configuration option for enforcing MFA enrollment in Okta?

Answer 48

A: Force users to enroll in MFA the first time a user is challenged for MFA.

Question 49

Which option is available for both MFA and password reset?

Answer 49

A: Security Question (Email).

Question 50

Which report should be run to reconcile application access with deactivated users in Okta?

Answer 50

A: Recent Unassignments.

Question 51

What is the minimum adminstrator role needed to configure a user as a Read-Only Administrator?

Answer 51

A: Super Administrator, only this role is allowed to create users.

Question 52

What is SAML?

Answer 52

A: Security Assertion Markup Language - standard protocol used to facilitate SSO. Can be used across multiple systems/domains by establishing a trusted relationship using digital certificates/signatures.

Question 53

What is LDAP?

Answer 53

A: Lightweight Directory Access Protocol - Directory source for users.

Question 54

What is AD?

Answer 54

A: Active Directory - MS Directory that is LDAP compliant can connect any app that uses LDAP.

Question 55

What is DSSO?

Answer 55

A: Desktop Single Sign On - Okta solution to allow users to log into AD connected computer and extend SSO to Okta configured Apps, reduce logins to Company and Cloud based apps.

Question 56

What is IWA?

Answer 56

A: Integrated Windows Authentication - AD version of DSSO, allows single login to company and some cloud apps.

Question 57

What is in Workforce Identity Cloud?

Answer 57

A: SSO, MFA, Universal Directory, LCM, API Access Management, Advanced Server Access, Access Gateway.

Question 58

What are the methods of App integration?

Answer 58

A: SAML, SWA, OIDC and SCIM.

Question 59

What are the first two steps to create an app integration?

Answer 59

A:

• Create Integration
• Add users or groups.

Question 60

What are the two sign-in flows for SAML?

Answer 60

A:

• SP-Initiated flow - user attempts sign in, redirected to IdP, then prompt login to IdP or desktop SSO.
• IdP initiated flow - user logs into IdP, launches SP by clicking chicklet, if no SP account, SAML can JIT.

Question 61

What needs to be provided to the SP to do SSO?

Answer 61

A:

• IdP SSO URL
• IdP Issuer Entity ID
• The X.509 Cert

Question 62

Describe the Okta Browser Plug-in.

Answer 62

A: Enables auto login to apps that would manually require credentials. SWA uses browser plug-in.

Question 63

What is Universal Directory?

Answer 63

A: Manage Okta app and user profiles, 31 base attributes. Only you can modify or remove are First Name + Last Name. Default user name = email address.

Question 64

What is SCIM provisioning?

Answer 64

A: System for Cross-domain Identity Management, used to perform provisioning actions between Okta + Cloud-based or On-prem apps.

Question 65

What are the advantages to using Okta for provisioning?

Answer 65

A:

• Account management
• Importing users (AD, LDAP, or certain apps)
• Configuring rules + Workflows
• Reports

Question 66

When do you use SAML for integration? Describe the authentication method.

Answer 66

A: When the app supports SAML (like Salesforce, RingCentral, Box and ServiceNow). Between IdP and SP. SP is not authenticating, rather trusting the cert from the IdP. no user name or password exchanged, only encrypted token.

Question 67

When do you use OIDC for integration?

Answer 67

A: When you want to use social networking to authenticate or a third party app.

Question 68

When do you use SWA for integration?

Answer 68

A: Okta Secure Web Auth, when the app doesn’t support proprietary federation or SAML, like Facebook, or Southwest Airlines. Requires Okta browser plug-in. Forms based integrations.

Question 69

What are the 4 major use cases for Workflows?

Answer 69

A:

• Comprehensive provisioning for an app.
• Complex “joiner, mover, leaver” flows
• Resolve identity conflict and other data issues
• Logging and Alerting on key lifecycle events

Question 70

What does a “Staged” user status mean?

Answer 70

A: The user account has been created, but the activation process has not been initiated. Account is in a dormant stage.

Question 71

What does “Pending user action” user status mean?

Answer 71

A: The user account has been added and the activation has been initiated, but the user has not yet set a password.

Question 72

What does “Active” user status mean?

Answer 72

A: The user account is active and the person can access all assigned applications.

Question 73

What does “Deactivated” user status mean?

Answer 73

A: The user account is inactive and the admin can’t assign any applications to the user.

Question 74

What does “Password Reset” user status mean?

Answer 74

A: The user is allowed to resolve forgotten password issue by resetting the password without relying on the service desk.

Question 75

What does “Password Expired” user status mean?

Answer 75

A: The account password has expired and needs to be changed.

Question 76

What does “Locked out” user status mean?

Answer 76

A: The account has been locked due to a consecutive number of incorrect passwords used.

Question 77

What does “Suspended” user status mean?

Answer 77

A: The user cannot log in due to an action taken by the administrator.

Question 78

What does a Super Administrator have the ability to do?

Answer 78

A:

• Has full access to perform all admin tasks and permission sets in Okta
• Only role that can assign admin priveleges.

Question 79

What does the Organization Administrator have the ability to do?

Answer 79

A:

• Can perform most org-wide settings.
• Can perform all management tasks for users and groups.
• Cannot perform any application management tasks.

Question 80

What does the Application Administrator have the ability to do?

Answer 80

A:

• Can manage profile information
• Can view users and groups, but not modify either.
• Can manage information on applications to which they are assigned access.

Question 81

What does the Group Administrator have the ability to do?

Answer 81

A:

• Can create users, deactivate users, reset passwords.
• Can also restrict these tasks to select group or groups of Okta users.
• Cannot perform group creation and any application management tasks.

Question 82

What does the Read Only Administrator have the ability to do?

Answer 82

A:

• Can view and run reports
• Can view users, groups, and applications, but cannot modify any settings.
• Can view, but not modify organizational settings.

Question 83

What does the Help Desk Administrator have the ability to do?

Answer 83

A:

• Can view users
• Can reset password and MFA
• Can clear user session
• Can unlock users

Question 84

What are the AD Integration System requirements?

Answer 84

A:

• Window Server 2012 R2 or later
• Physical or virtual server
• At least 2 CPU’s and a minimum of 8 GB RAM
• Should be a domain member server
• .NET 4.5.2+
• Always on

Question 85

What user accounts are required for AD Integration?

Answer 85

A:

• AD admin account
• AD service account for Okta
• Okta Super Admin account

Question 86

What are the AD sizing best practices for 0-30K users?

Answer 86

A: 2 Okta AD Agents (per AD).

Question 87

What are the AD sizing best practices for 30K - 100K users?

Answer 87

A: 3 Okta AD Agents (per AD).

Question 88

What are the AD sizing best practices for 100K+ users?

Answer 88

A: Work with Okta professional services.

Question 89

What are the LDAP Agent Installation Server System Requirements?

Answer 89

A:
- Windows based agent:
- Windows Server 2008 R2+
- Windows server must be able to reach the LDAP host
Linux based agent:
- RPM-enabled distribution: CentOS, Red Hat
- DPKG-enabled distribution: Debian, Ubuntu

Question 90

What are the three types of Groups in Okta?

Answer 90

A:

• Okta Groups = only Okta, directory and application sourced users.
• Directory Groups = created and managed by external directory. only directory-sourced users can be members of Directory Groups. If external directory is deactivated or deleted, associated groups are no longer in Okta.
• Application Groups = groups created and managed in an app. pulled into Okta during app creation. if app connector is deactivated or deleted, group no longer appears in Okta

Question 91

What are the filters available in OIN?

Answer 91

A:

• SAML
• OpenID Connect
• WS-Federation
• Secure Web Authentication
• Provisioning
• Workflows Compatible

Question 92

What information can you view on Trust.okta.com?

Answer 92

A:

• System Status: Operational, etc
• 12 month availability percentage
• Security and Compliance information

Question 93

What can you view on Support.okta.com?

Answer 93

A:

• system status
• Release notes
• support knowledgebase articles
• Community portal
• Case Studies
• Support

Question 94

Are API tokens listed as suspicious until they are used once?

Answer 94

A: Yes.

Question 95

Do API tokens use a reversible encryption?

Answer 95

A: No, tokens are stored with an irreversible hash.

Question 96

Is an API token visible only during creation?

Answer 96

A: Yes, once you dismiss the window displaying the token, you cannot view it again.

Question 97

What MFA options provide strong and effective resistance against MITM attacks?

Answer 97

A: U2F - U2F (Universal 2nd Factor) is an authentication standard that uses one key for multiple services. It simplifies and elevates the security provided by 2FA (two-factor authentication).

FIDO U2F tokens enable users to quickly and securely access any website or online service that supports the FIDO U2F protocol using a single device. To authenticate, a user simply inserts a universal serial bus (USB) token into any port. Then, the user presses the U2F token button and enters his or her password or PIN.

Question 98

How can an admin assign an application to a user?

Answer 98

A: Group or Individual assignment.

Question 99

Is this a required step to integrate Okta with LDAP?

- Install and configure the Okta LDAP Agent

Answer 99

A: Yes, this option is correct because the Okta LDAP agent is required to allow secure communication with Okta.

Question 100

Is this a required step to integrate Okta with LDAP?

- Create a new LDAP directory

Answer 100

A: No, Okta does NOT require a separate LDAP directory to store users.

Question 101

If a user cannot recall their password for a SWA app, what feature can they use to retrieve it?

Answer 101

A: “Reveal Password” - not password reset, this isn’t an option, nor is forgotten password.

Question 102

Are you able to filter for “Supported Operating System” on the OIN?

Answer 102

A: No, integration properties (SAML,etc) and name.

Question 103

What are two security authentication factors that generate a 6 digit code soft token for Okta?

Answer 103

A: Google Authenticator, Okta Verify.

Question 104

What is the first step to troubleshoot the Okta Browser plug-in?

Answer 104

A: Verify if it’s enabled on the client’s browser.

Question 105

What are the importing methods for creating groups in Okta?

Answer 105

A: Groups must be created from the Okta admin application or imported from a directory or application.

Question 106

How does an Okta admin assign users to applications based on user profile attributes?

Answer 106

A: Group Rules.

Question 107

What Okta product allows an Admin to create a custom authorization server?

Answer 107

A: API Access Management.

Question 108

How long are API tokens valid?

Answer 108

A: 30 days and automatically renew every time they are used with an API request. When a token has been inactive for more than 30 days it is revoked and cannot be used again.

Question 109

What does green API token status mean?

Answer 109

A: Token has been used within the last three days.

Question 110

What does Gray API token status mean?

Answer 110

A: Token has not been used in the last three days, and today is at least 7 days before it’s expiration date.

Question 111

What does Red API token status mean?

Answer 111

A: Token is within 7 days of expiring.

Question 112

What does Yellow token status mean?

Answer 112

A: Token is suspicious.

Question 113

Why is an API token considered suspicious?

Answer 113

A: A suspicious token is associated with an agent that is not registered in Okta. To investigate, click on token name and review the provisioning for the associated agent.