When Okta calls your external service, it enforces a default timeout of <response_goes_here> seconds.
- A . 1
- B . 3
- C . 10
- D . 30
In an Inline Hook scenario, when Okta calls your external service, Okta may attempt to retry.
How many retries will Okta perform?
- A . Okta doesn’t retry, no matter the situation
- B . Okta will attempt at most one retry
- C . Okta will attempt to retry 3 times
- D . Unlimited
In an Inline Hook scenario, if the external service responds with a redirect, Okta follows it.
- A . Okta does follow the redirect on the very same request
- B . Okta does not follow the redirect
- C . Okta does follow the redirect, but with a different request to the service
After you’ve created your external service, you have to register its endpoint in Okta.
- A . Statement is True
- B . Statement is False, as only users are registered, not services
- C . Statement is False, as you are using Header-Based authentication and the token you provide in API calls acts as an API token, token which is in fact received from the external service itself, hence there is no need to register the service’s endpoint in Okta as on each and every call the authorization header is passed on and it will know exactly which Okta domain is calling the service, so there is no need for a trust to be established in the Okta side as well
Optional user account fields include a ‘secondary email address’ and a ‘security image’.
- A . Statement is False, as the ‘secondary email address’ is mandatory to have a value assigned
- B . Statement is False, as the ‘security image’ is mandatory to have a value assigned
- C . Statement is True
- D . Statement is False, as both aforementioned attributes would need to have a value assigned
In the context of ASA (Advanced Server Access), the Windows and Unix server usernames are defined in Okta as:
- A . ‘windowsUserName’ and respectively ‘UnixUserName’
- B . ‘osUserName’ and respectively ‘LinuxUserName’
- C . ‘winUserName’ and respectively ‘UserName’
- D . Only users have usernames, not servers, it’s obvious
You can further integrate Advanced Server Access with Okta by configuring SCIM, which allows your:
- A . Advanced Server Access groups (only) to be managed by Okta
- B . Advanced Server Access users (only) to be managed by Okta
- C . Advanced Server Access groups and users to be managed by Okta
- D . Advanced Server Access local Admin to manage the Okta users’ attributes from On-Prem
In order to successfully deploy an Advanced Server Access server, you must:
- A . Simply install the server agent
- B . Simply enroll the server
- C . Install the server Agent and enroll the server
Advanced Server Access Enrollment is the process where the Advanced Server Access Agent configures a server to be managed by a specific:
- A . Admin
- B . Project
- C . AD server
- D . AD Service Account
Is Advanced Server Access Server Agent supported on Microsoft Active Directory DC?
- A . No, it’s not supported there
- B . It is supported
- C . Advanced Server Access server agent is only supported on Linux kernel related distributions
You are faced with the error: "Failed to connect to the specified LDAP server displays.".
What is worth to consider checking first?
- A . That the ‘username’ attribute’s format contains the exact ’email’ attribute’s address value
- B . To make sure you enabled LDAPS
- C . To run a query and see if it returns the right port for LDAP (always non-SSL)
- D . Email should be in a UPN format, this needs to get checked
What is a Relative Distinguished Name (RDN)? (for example in an LDAP context)
- A . The leftmost portion of the user Distinguished Name
- B . The email address value without the "@domain.xxx" part
- C . The rightmost portion of the user Distinguished Name
The LDAP Incremental import relies on the ‘modifyTimestamp’ attribute to determine whether an LDAP entry has been imported. But, there are times when some on-prem LDAP servers’s system clock could go backward / be delayed – hence Okta missing some updates on an LDAP import. Okta has an option to deal with these issues, called:
- A . Incremental Imports
- B . Maximum clock skew
- C . This statement is false in its entirety as such option does not exist. All clock work very well, according to the NTP (Network Time Protocol)
- D . LDAP clock measurements
- E . LDAP clock delay timeframe
Okta serves pages on your custom domain over HTTPS. To set up this feature, you need to provide:
- A . A token in form of a cookie to the browser to locally (client-side) store session information to your custom domain
- B . A valid Service Account to Okta for setup
- C . An SSL certificate that is valid for your domain
- D . An API key from your custom domain, to authorize Okta to serve pages over HTTPS
After I’ve setup a custom domain for my organization, will the default Okta domain for my org still work?
- A . Yes
- B . No
- C . You will be redirected from the custom domain towards the default one then
Can I add more than one domain?
- A . Yes, you can have multiple custom domains set up for your organization
- B . No, you can only have one custom domain set up for your organization
- C . You are limited to three custom domains per org
In a SAML Trace, you can see that on an [Okta (IDP) App SAML request towards an App (SP side)] where you’ve already configured some regex-matching custom SAML attributes (not set in Mappings, but directly in the SAML App’s config) to be passed over, these (which are named in the App’s config as ‘User attributes’ or ‘Group attributes’) are send:
- A . As an API header
- B . Encrypted
- C . Unencrypted
- D . Back to Okta
The Okta RADIUS Server agent:
- A . Communicates via UDP, over default port 1812 and does not support multiple ports simultaneously
- B . Communicates via TCP, over default port 636 and does not support multiple ports simultaneously
- C . Communicates via UDP, over default port 1812 and supports multiple ports simultaneously
- D . Communicates via UDP, over default port 1812 and supports multiple ports simultaneously
- E . Communicates via TCP, over default port 443 and does not support multiple ports simultaneously
You should use Okta RADIUS Server agent for authentication, when authentication is being performed by:
- A . VPN devices that don’t support SAML
- B . AD DCs that don’t support SAML
- C . Virtual Desktops and Reverse Proxies that don’t support SAML
You don’t have the same possibility you have for an On-Prem MFA Agent or AD Agent, to increase the logging level, in the case of an Okta Radius server.
- A . Statement is True
- B . Statement is False
- C . Statement is False and you even have 4 modes that you can simply enable via GUI: INFO, DEBUG,
WARN, ERROR
Okta can be used to authenticate a user into a:
- A . Single Page App
- B . Web App
- C . Mobil App
Open ID Connect and OAuth 2.0 are used as follows:
- A . OIDC is used to authorize users into a web application, whereas OAuth 2.0 is used to authorize access for API purposes
- B . OIDC is used to authenticate users into a web application, whereas OAuth 2.0 is used to authorize access for API purposes
- C . OIDC is used to authorize users into a web application, whereas OAuth 2.0 is used to authenticate access for API purposes
- D . OIDC is used to authenticate users into a web application, whereas OAuth 2.0 is used to authenticate access for API purposes
You can use Okta org. as an authorization server.
- A . This is used with the issuer being https://okta.com
- B . This is used for OIDC use cases
- C . This is used for Authentication use cases
- D . This is used with an issuer being https://<subdomain>.okta.com
- E . You cannot use Okta org as an authorization server
Beside Okta org. being used as an authorization server, there also can be other types of authorization servers added (other custom ones).
- A . FALSE
- B . TRUE
- C . True and the issuer looks like: https://<subdomain>.okta.com/oauth2/${authorizationServerId}
- D . True and the issuer looks like: https://<subdomain>.okta.com
- E . True and the issuer looks like: https://okta.com
Okta org, when being used as an authorization server (issuer: https://<subdomain>.okta.com), can only be used for OIDC (Open ID Connect, hence Authentication) and not for OAuth (Authorization).
- A . Statement is False in its entirety
- B . Statement is True in its entirety
- C . True, but for the issuer part, where the URL is wrong
- D . False, but for the correlation between OIDC and Authentication, which is indeed True
You cannot:
- A . Have multiple authorization servers in Okta
- B . Edit the access policy in Okta, when Okta is the Default Authorization Server
- C . Have custom scopes when Okta is the authorization server
The authorization server also acts as an:
- A . OpenID Connect Provider, which means you can request ID tokens in addition to access tokens from the authorization server endpoints
- B . OpenID Connect protocol, which means you can request ID tokens in addition to OIDC or OAuth 2.0 tokens from the authorization server endpoints
- C . OpenID Connect Provider, which means you can request ID tokens in addition to access tokens from the authentication server endpoints
- D . OpenID Connect Provider, which means you can request Open ID Connect tokens in addition to access tokens from the authentication server endpoints
Access tokens are returned if ‘response_type’ included:
- A . ‘nonce’
- B . ‘none’
- C . ‘access’
- D . ‘token’
- E . ‘access_token’
‘code’ is an opaque value that is returned if ‘reponse_type’ includes:
- A . ‘code’ and ‘code’ has a lifetime of 45 seconds
- B . ‘token’ and ‘code’ has a lifetime of 24 hours
- C . ‘value’ and ‘code’ has a lifetime of 90 seconds
- D . ‘code’ and ‘code’ has a lifetime of 60 seconds
‘scope’ is returned only if the response includes:
- A . A ‘token’ value
- B . A ‘scope’ value
- C . A claim
- D . An access_token
‘grant_type’ can take value(s) out of the following:
- A . ‘authorization_code’
- B . ‘nonce’
- C . ‘client_credentials’
- D . ‘refresh_token’
- E . ‘password’
‘unsupported_grant_type’ error is thrown when the ‘grant_type’ isn’t:
- A . ‘authorization_code’
- B . ‘refresh_token’
- C . ‘client_credentials’
- D . ‘password’
‘invalid_client’ error is thrown when:
- A . The scopes list contains an invalid or unsupported value
- B . The specified ‘client_id’ wasn’t found
- C . The request structure was invalid
‘token_type_hint’ indicates the type of ‘token’ being passed. Valid value(s) can be:
- A . ‘access_token’
- B . ‘oidc_token’
- C . ‘id_token’
- D . ‘refresh_token’
There is a property named ‘uid’, which is the user ID. This parameter is returned:
- A . Only if the token is a refresh token and the subject is an end user
- B . Only if the token is an access token and the subject is an end user
- C . Only if the token is an access token and the subject is an admin
- D . Only if the token is an refresh token and the subject is a resource server
- E . Only if the token is an access token and the subject is a authorization server