Consultant Exam Test Prep

¡Supera tus tareas y exámenes ahora con Quizwiz!

OAuth 2.0 Role Specs

4 Roles - Auth server, issues access token(ie Okta) - Resource Owner(Application end user grants permission to access resource server) - Client, app that requests access token from Okta then passes to resource server - Resource Server, accepts access token and must verify is valid

Auto-Link Restrictions:

Allows you to restrict auto-linking to members of specified groups.

If RADIUS agent is not receiving traffic or authentication is failing?

RADIUS agent must be able to listen on UDP ports, can be impeded by firewall blocking ports - Default is port 1812

SAML tracer is an?

Firefox Add on to troubleshoot SAML for SP/IDP initiated flows Other similar tools include: - SAML DevTools - SAML Chrome Panel

What components are used for Social Identity Login?

OAuth 2.0 client in the social provider, an identity provider in Okta, and an OIDC application in Okta

When does Okta bring LDAP groups into Okta?

Okta brings LDAP groups into Okta during imports and JIT.

When does Okta bring LDAP roles into Okta?

Okta brings LDAP roles into Okta only during imports, not during JIT.

SAML Hook is triggered when?

Okta generates SAML assertion in response to auth request

You cannot deny access if a behavior condition is selected in a Sign On policy rule.

True

LDAP Interface uses?

Universal Directory for authentication

RADIUS client sends the RADIUS agent the credentials of a ?

User requesting access to client. - If MFA NOT enabled, user is granted access - If MFA enabled, user is prompted for second factor

Trusted App Flow

- A trusted app flow is a scenario where end-user sign-in requests are proxied to Okta through an app using a valid SSWS token. - The end user does not interact directly with the Okta Sign-In Widget. - Requests are instead forwarded by the trusted app to Okta through the authentication API.

OPP: MySQL Example

- Assign user to MySQL app, which initiates a create action - Agent polls for events then translates it to a POST HTTP request - Response is returned

Common Data Migration Patterns

- Bulk imports uses Users API - CSV imports - Import hashed passwords (Okta Users API) where you pass the types of encryption - Hybrid Live Migration(Importing identity attributes then setting password during first login) - JIT Migrations - JIT Inbound - JIT from existing DB - JIT from existing DB with delegated authentication - Directory import migration - App import migrations(CRM) - On Prem Provisioning

Steps of Creating Auth Server:

- Create an authorization server - Create Access Policies - Create Rules for Each Access Policy - Create Scopes - Create Claims - Test the authorization server

Steps for creating IdP in Okta

- Create app at IdP - Create IdP in Okta - Add Okta redirect URI to the Identity Provider - Register an App in Okta(App to consume response from IdP) - Create the Authorization URL - Use the Identity Provider to sign in

Custom Email Domain allows you to configure what?

- Email address is sent from - Sender Name - Domain the email is sent from NOTE: Update SPF record

O365 provisioning to AD (O365 as a master)

- Enable the Create users checkbox for AD provisioning, and update the AD user activation recipient. - Import users from G Suite. - Map groups to AD provisioning. - Create Group Rules for grouping users.

Configuring Okta RADIUS Agent Configuration

- Enter RADIUS Shared Secret - RADIUS Port Number

To configure RADIUS App config

- Install RADIUS server agent and configure RADIUS applications in Okta

Installing OPP Agent setup is?

- Install agent - Connect agent to On-Prem application

Live Migration Types

- JIT -

On-Prem Provisioning Architecture

- Okta - OPP Agent - SCIM server - Custom Connectors - OPApplications

IdP Routing Rules are useful for...?

- On-network / Off-network users - Mobile users - Hub and spoke orgs - DSSO - Multiple customer orgs - Required discovery by user attribute

To custom Okta URL you need?

- Own the domain - Valid TLS cert

Okta Custom Domain Specs

- PEM Encoded Private key and public cert - CNAME - Update Auth Server URLs -

Auth API provides?

- Primary auth allows you to verify username and password credentials - MFA - Recovery

3 Components needed for Okta as a SP

- SSO URL - IdP Cert - Issuer (URI)

MFA as a Service for ADFS

- Search for Microsoft ADFS app - OIDC as Sign-on - Add CORS Trusted Origin for ADFS service name - Install ADFS agent - Enable MFA provider in ADFS - Add access control policy to Relying Party Application - Assign to groups

Radius deployment needs 2 components?

- Shared Secret - Port number

Trackable Security Behaviors:

- Sign In from new Country/state/device/IP/location/velocity

To set existing username/password as is you must pass the ?

- Supported algorithm - Encrypted password - Salt used to encrypt password

When to use Okta RADIUS agent?

- VPN devices that don't support SAML - Virtual desktops and Reverse Proxies that don't support SAML Bypass MFA on Sign In

Inbound SAML allows you to set up the following scenarios:

- Your users can SSO into apps without needing an Okta password. - You do not need to set up an Active Directory (AD) agent. - You can connect to a partner. - You can federate with another IdP.

Backdoor default Okta Login

/login/default

LDAP Interface supports TLS?

1.2

OAuth 2.0 flow for server side(web) ?

Authorization Flow

Native Application uses what OAuth flow?

Authorization Flow with PKCE

SPA uses what OAuth flow?

Authorization Flow with PKCE OR Implicit Flow

SslPinningEnabled

AD agent confirms that the SSL certificate presented by the Okta org matches one of the keys hard-coded in the agent. - The default is True.

Scopes are associated with?>

Access tokens to determine which claims are available when used by OIDC

User Import Inline Hook performs?>

Adds custom logic to user import process

On-Prem App

App behind a firewall

What is an Authorization Server?

At its core, an authorization server is simply an OAuth 2.0 token minting engine. Each authorization server has a unique issuer URI and its own signing key for tokens in order to keep proper boundary between security domains.

Failed to parse response from Okta and Unable to register the agent. Error code 12. Represents?>

Attempting to install Java LDAP agent and your environment is one in which the agent's support for SSL certificate pinning prevents communication with the Okta server.

The Okta Authentication API provides operations to

Authenticate users, perform multifactor enrollment and verification, recover forgotten passwords, and unlock accounts.

OAuth 2.0 grant is?

Authorization given to client by user

When registering multiple domains on a single AD Agent they must?

Be in the same forest and contain trust, otherwise Service account cannot connect

Benefits of API AM

Centralizing the management of your APIs makes it easier for others to consume your API resources - Meet security standards compliance - Manage access with rules - Use tokens instead of credentials

Service Application uses what OAuth flow?

Client Credentials flow

LDAP Interface is a ?

Cloud proxy that consumes LDAP commands and translates them to Okta API calls

Inline Hooks return JSON Payload Objects that contain...

Commands for Okta to run

When bypassing Box SAML:

Contact Box support to ensure SAML Required is selected

Authentication API is useful when you want to?

Control Login process from beginning to end

Authenication API

Controls access to your Okta org and applications(Controls MFA,Auth, etc) by creating and controlling Okta session tokens

Registration Inline Hook performs?>

Custom handling of user registration requests in Self Service Registration

SAML Assertion Inline Hook performs?>

Customizes SAML assertions

Token Inline Hook performs?>

Customizes tokens returned by Okta API Access Management

Provisioning Policy:

Determines whether just-in-time provisioning of users should be automatic or disabled.

Account Link Policy:

Determines whether your Application User should be linked to an Okta user. - Automatic: Link user accounts automatically according to the "Auto-Link Restrictions" and "Match against" settings. - Disabled Do not link existing User accounts. Unless User is already linked, login will fail.

Identity Provider (IdP) routing rules enable you to?

Direct end users to IdPs based on the user's location, device, email domain, attributes, or the app they are attempting to access.

Trusted application uses what OAuth flow?

Resource Owner Password Flow

Schemas API

Each of the operations described here affects the Schema associated with a single User Type (see User Types)

Force Authentication

Enable to on SAML 2.0 template to re-authenticate users

Client application is considered public if?

End User can view and modify code

Understand the benefits of the Pre-authn sign-on evaluation policy

End users that sign in using the AuthN API will have their sign on policies evaluated first before their password or other factor is verified. This evaluation helps to reduce the number of account lockouts that occur across an org. - If the sign on policy is set to deny, the user's sign on attempt is rejected and prompted with the following generic error: Authentication failed. Counter for failed logins is not incremented but instead, an event indicating a pre-auth sign-on policy evaluation is triggered.

SCIM Server is a?

Endpoint that processes SCIM messages sent from provisioning agent

IdP Username is for Social Identity Provider is?

Expression that will be used to convert an IdP attribute to App User username

Point in Okta process flows where Inline Hooks can be triggered are called?

Extension Points

OIDC adds an additional token which is?

ID Token

If you have multiple Profile Masters you must choose only one?

Identity Master

ProxyPassword

If the proxy requires authentication, the encrypted value for the password is used.

ProxyUsername

If the proxy requires authentication, the username is used.

Grant Type for Social IdP:

Implicit - Returns tokens(ID token )without additional steps.

Hybrid Live Migration

Imports users and passwords as temp attrs. Then on login confirms if the password the users enter is valid

ID Token contains ?

Information about End User in form of claims

LDAP Interface lets you connect LDAP applications to Okta UD without??

Installing an maintaining LDAP agent

Access Token

Issued by auth server in exchange for grant

LDAP Pagination error is?

LDAP_SIZELIMIT_EXCEEDED - Can use ldapsearch tool

OPP Agent is a ?

Lightweight agent that runs on a Linux or Windows Server and sits behind a firewall. Receives provisioning instructions and sends SCIM messages to appropriate connector/endpoint

Account Link Policy for Social Identity Provider...

Links incoming IdP user to Okta user

Failed to connect to the specified LDAP server displays when?

Make sure you have enabled LDAP over SSL (LDAPS) when configuring the LDAP agent.

The Okta Identity Providers API provides operations to

Manage federations with external Identity Providers (IDP). For example, your app can support logging in with credentials from Facebook, Google, LinkedIn, Microsoft, an enterprise IdP using SAML 2.0, or an IdP using the OpenID Connect (OIDC) protocol.

CORS is a ?

Mechanism that allows a web page to make an AJAX call using XMLHttpRequest(XHR) to a domain different than where script is loaded

To provision users from 0365 use?

Microsoft AAD Connect with Okta Licenses and Roles ONly

Use Okta User API when you want to?

Migrate users and allow them to use current username and password

Error when CORS is not enabled?

No Access Control Allow Origin header present

Okta Session Tokens are?

One time tokens issued when authentication transaction completes successfully

Authentication API provides?

Operations to authenticate users, perform MFA enrollment, recover forgotten passwords, and unlock accounts.

Refresh token

Optional token exchanged when access token has expired

What are inline hooks?

Outbound calls from Okta to custom code triggered at specific points in Okta Process flows

Sys Log Events for Behavior Detection:

POSITIVE: Behavior is detected. POSITIVE results in the policy rule matching - if MFA is configured for the rule, Okta prompts for MFA. NEGATIVE: Behavior is not detected. NEGATIVE results in the policy rule not matching - if MFA is configured for the rule, Okta does not prompt for MFA. UNKNOWN: Not enough history to detect behavior. UNKNOWN results in the policy rule matching - if MFA is configured for the rule, Okta prompts for MFA. BAD_REQUEST: Not enough information from the sign-in attempt to detect behavior. For example, if the cookies and device fingerprint are missing, Okta treats it as a BAD_REQUEST, which results in the policy rule matching - if MFA is configured for the rule, Okta prompts for MFA.

RADIUS Agent data logs are contained to?

Program Files (x86)\Okta\Okta RADIUS agent\current\logs.

LDAP Interface supports ____ only commands?

Read Only

Access Policies are containers for?

Rules and apply to a specific OIDC application - Evaluated in order, and applied when matching rules/policy

If On-Prem App does not support SCIM natively you must create a?

SCIM Connector

Handshake failure due to unsupported cipher?

SSL handshake rejected due to unsupported cipher

OIDC uses scope values to?

Specify which access privileges are being requested for access tokens

Claims are?

Statements about a subject(user) - Dependent on type of token, credential, and application configuration

Client Credentials flow is for?

The Client Credentials flow is intended for server-side (AKA "confidential") client applications with no end user, which normally describes machine-to-machine communication.

Implicit flow is best for?

The Implicit flow is intended for applications where the confidentiality of the client secret can't be guaranteed.

System Log API

The Okta System Log API provides near real-time read-only access to your organization's system log and is the programmatic counterpart of the System Log UI. - Contains log events, which are recorded facts of an Event

Users API

The Okta User API provides operations to manage users in your organization. - CRUD

Resource Owner Password flow is intended for ?

The Resource Owner Password Flow is intended for use cases where you control both the client application and the resource that it is interacting with.

SCIM Connector

The SCIM connector processes SCIM messages from the provisioning agent, acting as a SCIM server

If JIT settings are enabled for Social IdP then ...?

The Social IdP will be the source of truth for the user's attributes

Scopes specify what ?

The access privileges that are being requested as part of the authorization

Tokens contain claims that are statements about?

The subject (for example: name, role, or email address).

ProxyURL

The url:port for the proxy used by this agent, if any

Rules define particular token lifetimes for a given combination of grant type, user, and scope. AND?

They are evaluated in priority order and once a matching rule is found no other rules are evaluated. If no matching rule is found, then the authorization request fails.

Identity Provider Routing Rules

This feature is also known as IdP Discovery, because these routing rules allow Okta to discover which identity provider to use based on this context.

LDAP error for when request takes longer than 2 minutes to process?

Time limit exceeded

Browser Fingerprint works?

When client logins directly thru Okta sign-widget cookie is stored IF the security image is enabled

Use for API AM #1

Use Case 1 (API Access Management): You need to control API access for a variety of consumers: vendors, employees, and customers, for example.

Know how device trust works with a third party provider

User attempts to access mobile app, the app then redirects to Okta Mobile which checks if device is managed with MDM

IWA Agent: How does the Global Redirect work?

Useful if you have multiple forests. You need to ensure user A on Machine A redirects to IWA agents in forest A. To solve this issue you need to setup a global redirect URL where an on-prem DNS routes to correct endpoint Note: Transition using SSL, and When evaluating IWA logins, Okta checks that the login is from the configured zones.

Password Import Inline Hook performs?

Verifies user supplied password to support migration of users to Okta

Error Code 401 occurs when ?

You attempt to login with invalid credentials

What can I customize on the sign-in page?

You can add any HTML, CSS, or JavaScript to the page that you want. - Headers - Labels - Recovery flow text - External Links

TO customize Okta URL...?

You must first customize the Okta URL domain if you also want to customize the Okta-hosted sign-in page or error pages.

Error Code 429 occurs when?

You exceed Okta rate limit

Trusted applications are backend applications that ?

act as authentication broker or login portal for your Okta organization and may start an authentication or recovery transaction with an administrator API token.

A public application is an application that?

anonymously starts an authentication or recovery transaction without an API token, such as the Okta Sign-In Widget.

Advanced Server Access is

an Okta application that manages access to Linux and Windows servers over SSH & RDP.

The ___ URL initiates the authorization flow that authenticates the user with the Identity Provider.

authorize

The Okta Factors API provides operations to

enroll, manage, and verify factors for multi-factor authentication (MFA). - Manage both administration and end-user accounts, or verify an individual factor at any time.

OAuth 2.0

is a protocol controls authorization to access

Just-in-time migrations

method of creating users on demand as they log in to Okta for the first time. You can perform a just-in-time migration using the inbound federation method or one of two existing database methods.

The Okta Zones API provides operations to

manage zones in your organization.

The Advanced Server Access Client

multi-platform desktop application and command-line tool.

In Advanced Server Access, a team

named group of users who can authenticate with Okta.

Authorization flow is best for ?

server side apps

To manage SSH or RDP access to a server with Advanced Server Access, you will need to install

the Advanced Server Access Agent on that server.


Conjuntos de estudio relacionados

BUSFIN 4221 Investments Cao Chapters Midterm 1 Practice Questions

View Set

General Studies/AccountingandFinance

View Set

Anticoagulants and Thrombolytics

View Set