When you are trying to federate (via WS-FED) Office 365 with Okta:
Solution: You can choose between SAML 2.0 or OIDC for the current integration
- A . Yes
- B . No
The Okta On-Prem MFA Agent acts as a Radius client and communicates with the RADIUS enabled On-Prem server, including RSA Authentication manager for RSA SecurIDs. This basically allows your organization to leverage Second Factor from a variety of On-Premises multifactor authentication tools.
Solution: The statement is true
- A . Yes
- B . No
There might be specific AD attributes, which – apart from others – do not appear in the Okta user profile. Can those extra attributes be mapped and provisioned towards an app?
Solution: No, it is not possible as Okta queries the whole AD schema and retrieves everything that it’s able to
- A . Yes
- B . No
Speaking of Okta Template App and Okta Pluin Template App, which of the following RegEx can you create for an allow list of URLS so that both endpoints for /login or /change_password are accepted under example.com domain?
Solution: https://example.com/(login|change_password)
- A . Yes
- B . No
When a user signs out of Okta, if they are using IWA, they’ll be redirected to the Sign In page and without inputting credentials they’ll be signed back in
Solution: Statement is true
- A . Yes
- B . No
With Okta Retention Policy, App generated data and reporting based on log data older than how many months is automatically removed (not considering the Backup Data)?
Solution: This data is never removed, as per GDPR
- A . Yes
- B . No
Okta AD Agents can be successfully and completely configured by:
Solution: Read-only administrators
- A . Yes
- B . No
When a user signs out of Okta, if they are using IWA, they’ll be redirected to the Sign In page and without inputting credentials they’ll be signed back in
Solution: Statement is false, as this would represent a security concern
- A . Yes
- B . No
On a Windows machine, which is the right behavior if you try to sign into your Okta org and agentless DSSO is properly configured for it?
Solution: You will be automatically redirected to your Load-Balancing Application, if you have one configured, enter credentials for it and then redirected back to Okta org
- A . Yes
- B . No
The Okta On-Prem MFA Agent acts as a Radius client and communicates with the RADIUS enabled On-Prem server, including RSA Authentication manager for RSA SecurIDs. This basically allows your organization to leverage Second Factor from a variety of On-Premises multifactor authentication tools.
Solution: The statement is partically true – as it has nothing to do with RSA
- A . Yes
- B . No
Once brought into Okta, LDAP roles are represented as:
Solution: Email lists
- A . Yes
- B . No
In an agentless DSSO (Desktop Single Sign-on) scenario Okta is the one decrypting the Kerberos ticket, finds then the user name, authenticates the user and passes back a session to the browser.
Solution: The statement is valid, but Okta is not the one doing decryption – the browser is doing that
- A . Yes
- B . No
Regarding Access Request Workflow, when a user requests an app – he can also include a message to the approver. But you can also designate an approver group.
Solution: Only the second statement is true
- A . Yes
- B . No
The SCIM protocol is <response_is_entered_here> for provisioning and managing identity data on the web.
Solution: An application-level REST protocol
- A . Yes
- B . No
After you turn on Desktop SSO, a default DSSO related routing rule is created. You must configure the network information for this rule.
Solution: You have nothing to do and even the rule is by default set to "Active"
- A . Yes
- B . No
In Okta’s KB articles the set of functions under the ‘Provisioning’ concept are referred to as CRUD. This is a concept you also meet when referring to CRUD APIs .
What about its meaning here, in Okta’s vision?
Solution: In ‘Provisioning’, CRUD stands for Create, Read, Upload, Deprovision
- A . Yes
- B . No
Regarding Access Request Workflow, when a user requests an app – he can also include a message to the approver. But you can also designate an approver group.
Solution: Both statements are true
- A . Yes
- B . No
When a user’s Okta password is changed:
Solution: All apps that are Provisioning-enabled and have Update Attributes option active under Provisioning settings – will begin to sync the password in respective apps, as password is an attribute of their profile – but only if JIT Provisioning is enabled as well as it has to be a just-in-time action, the moment the user resets the password
- A . Yes
- B . No
When a user signs out of Okta, if they are using IWA, they’ll be redirected to the Sign In page and without inputting credentials they’ll be signed back in
Solution: Statement is true, but then they’ll be displayed a 403 HTTP code (Forbidden)
- A . Yes
- B . No
When does Okta bring LDAP groups into Okta?
Solution: Only during an LDAP import
- A . Yes
- B . No
Whenever you make an API call, you will then get back:
Solution: A new object (a user, group or app object)
- A . Yes
- B . No
The SCIM protocol is <response_is_entered_here> for provisioning and managing identity data on the web.
Solution: An application-level TLS protocol
- A . Yes
- B . No
Can you map the Okta user ID as an Office 365 Immutable ID?
Solution: Not possible, as Office 365 requires an Immutable ID extracted from either On-Prem AD or Azure AD
- A . Yes
- B . No
When does Okta bring LDAP groups into Okta?
Solution: Only during LDAP JIT
- A . Yes
- B . No
Okta has a json representation of objects such as ‘users’, json schema interchanged on API calls, as an example, but what about the format of information regarding of a user going to a SCIM server for creating the user in an On Premises application?
Solution: Format is different: xml
- A . Yes
- B . No
What does SCIM stand for?
Solution: System for CRSF-domain Identity Management
- A . Yes
- B . No
Can you map the Okta user ID as an Office 365 Immutable ID?
Solution: Not possible and not intended to be possible as it cannot work like this
- A . Yes
- B . No
Does Okta require an Agent to sit in-between Okta to SCIM-enabled app on premises requests?
Solution: Yes, and AD Agent
- A . Yes
- B . No
When using Okta Expression Language, which of the following will have the output:
okta.com
Solution: String.substringAfter("abc@okta.com", "@")
- A . Yes
- B . No
Regarding policies, Okta recommends:
Solution: Include a final catch-all rule that denies access to anything that does not match any of the preceding rules
- A . Yes
- B . No
After you turn on Desktop SSO, a default DSSO related routing rule is created. You must configure the network information for this rule.
Solution: The statement is true
- A . Yes
- B . No
When you are trying to federate (via WS-FED) Office 365 with Okta:
Solution: You can try to federate multiple Office 365 custom domains into a single Okta Office 365 app instance via SWA SSO protocol
- A . Yes
- B . No
Once brought into Okta, LDAP roles are represented as:
Solution: Licences
- A . Yes
- B . No
Once brought into Okta, LDAP roles are represented as:
Solution: Groups
- A . Yes
- B . No
If you want to remove an attribute’s value in Okta, for example a value coming from AD that is not useful in any way, you have to:
Solution: Intentionally map a blank value to that specific attribute in the user profile
- A . Yes
- B . No
In an SP-initiated SAML 2.0 flow, the SP will never redirect to Okta if the session is already active
Solution: It will always redirect to Okta and in this case only – will promt the user for re-authentication by manually entering Okta credentials
- A . Yes
- B . No
When does Okta bring LDAP groups into Okta?
Solution: During both LDAP import and JIT
- A . Yes
- B . No
In order for SAML to work, there is a need of an IDP and an SP and we know that already, but why is it so? Because:
Solution: An SP sends SAML assertions, while the IDP receives and validates them
- A . Yes
- B . No
Provisioning actions between cloud-based apps / on-premises apps and Okta are completed by using:
Solution: The OAuth 2.0 standard
- A . Yes
- B . No
As an Okta best-practice / recommendation: Okta encourages you to switch from Integrated Windows Authentication (IWA or DSSO) to agentless Desktop Single Sign-on (ADSSO). Okta is no longer adding new IWA functionality and offers only limited support and bug fixes.
Solution: Only the first statement is true
- A . Yes
- B . No
In an agentless DSSO (Desktop Single Sign-on) scenario Okta is the one decrypting the Kerberos ticket, finds then the user name, authenticates the user and passes back a session to the browser.
Solution: The statement is entirely valid
- A . Yes
- B . No
When a user’s Okta password is changed:
Solution: All apps that are Provisioning-enabled and have Sync Password option active under Provisioning settings – will begin to sync the password in respective apps, but only if JIT Provisioning is enabled as well as it has to be a just-in-time action, the moment the user resets the password
- A . Yes
- B . No
In an SP-initiated SAML 2.0 flow, the SP will never redirect to Okta if the session is already active
Solution: It might be seamless for the user, but the redirect is happening
- A . Yes
- B . No
When does Okta bring LDAP roles into Okta?
Solution: During both LDAP import and JIT
- A . Yes
- B . No
Any … <answer_goes_here>’s credentials verified under "Test API credentials" in an Office365 app integration can allow Okta API integration with Office 365 – permissions which once successfully granted will be used by Okta used for Provisioning related tasks
Solution: Office 365 Global Administrator
- A . Yes
- B . No