Consultant Exam Test Prep
OAuth 2.0 Role Specs
4 Roles - Auth server, issues access token(ie Okta) - Resource Owner(Application end user grants permission to access resource server) - Client, app that requests access token from Okta then passes to resource server - Resource Server, accepts access token and must verify is valid
Auto-Link Restrictions:
Allows you to restrict auto-linking to members of specified groups.
If RADIUS agent is not receiving traffic or authentication is failing?
RADIUS agent must be able to listen on UDP ports, can be impeded by firewall blocking ports - Default is port 1812
SAML tracer is an?
Firefox Add on to troubleshoot SAML for SP/IDP initiated flows Other similar tools include: - SAML DevTools - SAML Chrome Panel
What components are used for Social Identity Login?
OAuth 2.0 client in the social provider, an identity provider in Okta, and an OIDC application in Okta
When does Okta bring LDAP groups into Okta?
Okta brings LDAP groups into Okta during imports and JIT.
When does Okta bring LDAP roles into Okta?
Okta brings LDAP roles into Okta only during imports, not during JIT.
SAML Hook is triggered when?
Okta generates SAML assertion in response to auth request
You cannot deny access if a behavior condition is selected in a Sign On policy rule.
True
LDAP Interface uses?
Universal Directory for authentication
RADIUS client sends the RADIUS agent the credentials of a ?
User requesting access to client. - If MFA NOT enabled, user is granted access - If MFA enabled, user is prompted for second factor
Trusted App Flow
- A trusted app flow is a scenario where end-user sign-in requests are proxied to Okta through an app using a valid SSWS token. - The end user does not interact directly with the Okta Sign-In Widget. - Requests are instead forwarded by the trusted app to Okta through the authentication API.
OPP: MySQL Example
- Assign user to MySQL app, which initiates a create action - Agent polls for events then translates it to a POST HTTP request - Response is returned
Common Data Migration Patterns
- Bulk imports uses Users API - CSV imports - Import hashed passwords (Okta Users API) where you pass the types of encryption - Hybrid Live Migration(Importing identity attributes then setting password during first login) - JIT Migrations - JIT Inbound - JIT from existing DB - JIT from existing DB with delegated authentication - Directory import migration - App import migrations(CRM) - On Prem Provisioning
Steps of Creating Auth Server:
- Create an authorization server - Create Access Policies - Create Rules for Each Access Policy - Create Scopes - Create Claims - Test the authorization server
Steps for creating IdP in Okta
- Create app at IdP - Create IdP in Okta - Add Okta redirect URI to the Identity Provider - Register an App in Okta(App to consume response from IdP) - Create the Authorization URL - Use the Identity Provider to sign in
Custom Email Domain allows you to configure what?
- Email address is sent from - Sender Name - Domain the email is sent from NOTE: Update SPF record
O365 provisioning to AD (O365 as a master)
- Enable the Create users checkbox for AD provisioning, and update the AD user activation recipient. - Import users from G Suite. - Map groups to AD provisioning. - Create Group Rules for grouping users.
Configuring Okta RADIUS Agent Configuration
- Enter RADIUS Shared Secret - RADIUS Port Number
To configure RADIUS App config
- Install RADIUS server agent and configure RADIUS applications in Okta
Installing OPP Agent setup is?
- Install agent - Connect agent to On-Prem application
Live Migration Types
- JIT -
On-Prem Provisioning Architecture
- Okta - OPP Agent - SCIM server - Custom Connectors - OPApplications
IdP Routing Rules are useful for...?
- On-network / Off-network users - Mobile users - Hub and spoke orgs - DSSO - Multiple customer orgs - Required discovery by user attribute
To custom Okta URL you need?
- Own the domain - Valid TLS cert
Okta Custom Domain Specs
- PEM Encoded Private key and public cert - CNAME - Update Auth Server URLs -
Auth API provides?
- Primary auth allows you to verify username and password credentials - MFA - Recovery
3 Components needed for Okta as a SP
- SSO URL - IdP Cert - Issuer (URI)
MFA as a Service for ADFS
- Search for Microsoft ADFS app - OIDC as Sign-on - Add CORS Trusted Origin for ADFS service name - Install ADFS agent - Enable MFA provider in ADFS - Add access control policy to Relying Party Application - Assign to groups
Radius deployment needs 2 components?
- Shared Secret - Port number
Trackable Security Behaviors:
- Sign In from new Country/state/device/IP/location/velocity
To set existing username/password as is you must pass the ?
- Supported algorithm - Encrypted password - Salt used to encrypt password
When to use Okta RADIUS agent?
- VPN devices that don't support SAML - Virtual desktops and Reverse Proxies that don't support SAML Bypass MFA on Sign In
Inbound SAML allows you to set up the following scenarios:
- Your users can SSO into apps without needing an Okta password. - You do not need to set up an Active Directory (AD) agent. - You can connect to a partner. - You can federate with another IdP.
Backdoor default Okta Login
/login/default
LDAP Interface supports TLS?
1.2
OAuth 2.0 flow for server side(web) ?
Authorization Flow
Native Application uses what OAuth flow?
Authorization Flow with PKCE
SPA uses what OAuth flow?
Authorization Flow with PKCE OR Implicit Flow
SslPinningEnabled
AD agent confirms that the SSL certificate presented by the Okta org matches one of the keys hard-coded in the agent. - The default is True.
Scopes are associated with?>
Access tokens to determine which claims are available when used by OIDC
User Import Inline Hook performs?>
Adds custom logic to user import process
On-Prem App
App behind a firewall
What is an Authorization Server?
At its core, an authorization server is simply an OAuth 2.0 token minting engine. Each authorization server has a unique issuer URI and its own signing key for tokens in order to keep proper boundary between security domains.
Failed to parse response from Okta and Unable to register the agent. Error code 12. Represents?>
Attempting to install Java LDAP agent and your environment is one in which the agent's support for SSL certificate pinning prevents communication with the Okta server.
The Okta Authentication API provides operations to
Authenticate users, perform multifactor enrollment and verification, recover forgotten passwords, and unlock accounts.
OAuth 2.0 grant is?
Authorization given to client by user
When registering multiple domains on a single AD Agent they must?
Be in the same forest and contain trust, otherwise Service account cannot connect
Benefits of API AM
Centralizing the management of your APIs makes it easier for others to consume your API resources - Meet security standards compliance - Manage access with rules - Use tokens instead of credentials
Service Application uses what OAuth flow?
Client Credentials flow
LDAP Interface is a ?
Cloud proxy that consumes LDAP commands and translates them to Okta API calls
Inline Hooks return JSON Payload Objects that contain...
Commands for Okta to run
When bypassing Box SAML:
Contact Box support to ensure SAML Required is selected
Authentication API is useful when you want to?
Control Login process from beginning to end
Authenication API
Controls access to your Okta org and applications(Controls MFA,Auth, etc) by creating and controlling Okta session tokens
Registration Inline Hook performs?>
Custom handling of user registration requests in Self Service Registration
SAML Assertion Inline Hook performs?>
Customizes SAML assertions
Token Inline Hook performs?>
Customizes tokens returned by Okta API Access Management
Provisioning Policy:
Determines whether just-in-time provisioning of users should be automatic or disabled.
Account Link Policy:
Determines whether your Application User should be linked to an Okta user. - Automatic: Link user accounts automatically according to the "Auto-Link Restrictions" and "Match against" settings. - Disabled Do not link existing User accounts. Unless User is already linked, login will fail.
Identity Provider (IdP) routing rules enable you to?
Direct end users to IdPs based on the user's location, device, email domain, attributes, or the app they are attempting to access.
Trusted application uses what OAuth flow?
Resource Owner Password Flow
Schemas API
Each of the operations described here affects the Schema associated with a single User Type (see User Types)
Force Authentication
Enable to on SAML 2.0 template to re-authenticate users
Client application is considered public if?
End User can view and modify code
Understand the benefits of the Pre-authn sign-on evaluation policy
End users that sign in using the AuthN API will have their sign on policies evaluated first before their password or other factor is verified. This evaluation helps to reduce the number of account lockouts that occur across an org. - If the sign on policy is set to deny, the user's sign on attempt is rejected and prompted with the following generic error: Authentication failed. Counter for failed logins is not incremented but instead, an event indicating a pre-auth sign-on policy evaluation is triggered.
SCIM Server is a?
Endpoint that processes SCIM messages sent from provisioning agent
IdP Username is for Social Identity Provider is?
Expression that will be used to convert an IdP attribute to App User username
Point in Okta process flows where Inline Hooks can be triggered are called?
Extension Points
OIDC adds an additional token which is?
ID Token
If you have multiple Profile Masters you must choose only one?
Identity Master
ProxyPassword
If the proxy requires authentication, the encrypted value for the password is used.
ProxyUsername
If the proxy requires authentication, the username is used.
Grant Type for Social IdP:
Implicit - Returns tokens(ID token )without additional steps.
Hybrid Live Migration
Imports users and passwords as temp attrs. Then on login confirms if the password the users enter is valid
ID Token contains ?
Information about End User in form of claims
LDAP Interface lets you connect LDAP applications to Okta UD without??
Installing an maintaining LDAP agent
Access Token
Issued by auth server in exchange for grant
LDAP Pagination error is?
LDAP_SIZELIMIT_EXCEEDED - Can use ldapsearch tool
OPP Agent is a ?
Lightweight agent that runs on a Linux or Windows Server and sits behind a firewall. Receives provisioning instructions and sends SCIM messages to appropriate connector/endpoint
Account Link Policy for Social Identity Provider...
Links incoming IdP user to Okta user
Failed to connect to the specified LDAP server displays when?
Make sure you have enabled LDAP over SSL (LDAPS) when configuring the LDAP agent.
The Okta Identity Providers API provides operations to
Manage federations with external Identity Providers (IDP). For example, your app can support logging in with credentials from Facebook, Google, LinkedIn, Microsoft, an enterprise IdP using SAML 2.0, or an IdP using the OpenID Connect (OIDC) protocol.
CORS is a ?
Mechanism that allows a web page to make an AJAX call using XMLHttpRequest(XHR) to a domain different than where script is loaded
To provision users from 0365 use?
Microsoft AAD Connect with Okta Licenses and Roles ONly
Use Okta User API when you want to?
Migrate users and allow them to use current username and password
Error when CORS is not enabled?
No Access Control Allow Origin header present
Okta Session Tokens are?
One time tokens issued when authentication transaction completes successfully
Authentication API provides?
Operations to authenticate users, perform MFA enrollment, recover forgotten passwords, and unlock accounts.
Refresh token
Optional token exchanged when access token has expired
What are inline hooks?
Outbound calls from Okta to custom code triggered at specific points in Okta Process flows
Sys Log Events for Behavior Detection:
POSITIVE: Behavior is detected. POSITIVE results in the policy rule matching - if MFA is configured for the rule, Okta prompts for MFA. NEGATIVE: Behavior is not detected. NEGATIVE results in the policy rule not matching - if MFA is configured for the rule, Okta does not prompt for MFA. UNKNOWN: Not enough history to detect behavior. UNKNOWN results in the policy rule matching - if MFA is configured for the rule, Okta prompts for MFA. BAD_REQUEST: Not enough information from the sign-in attempt to detect behavior. For example, if the cookies and device fingerprint are missing, Okta treats it as a BAD_REQUEST, which results in the policy rule matching - if MFA is configured for the rule, Okta prompts for MFA.
RADIUS Agent data logs are contained to?
Program Files (x86)\Okta\Okta RADIUS agent\current\logs.
LDAP Interface supports ____ only commands?
Read Only
Access Policies are containers for?
Rules and apply to a specific OIDC application - Evaluated in order, and applied when matching rules/policy
If On-Prem App does not support SCIM natively you must create a?
SCIM Connector
Handshake failure due to unsupported cipher?
SSL handshake rejected due to unsupported cipher
OIDC uses scope values to?
Specify which access privileges are being requested for access tokens
Claims are?
Statements about a subject(user) - Dependent on type of token, credential, and application configuration
Client Credentials flow is for?
The Client Credentials flow is intended for server-side (AKA "confidential") client applications with no end user, which normally describes machine-to-machine communication.
Implicit flow is best for?
The Implicit flow is intended for applications where the confidentiality of the client secret can't be guaranteed.
System Log API
The Okta System Log API provides near real-time read-only access to your organization's system log and is the programmatic counterpart of the System Log UI. - Contains log events, which are recorded facts of an Event
Users API
The Okta User API provides operations to manage users in your organization. - CRUD
Resource Owner Password flow is intended for ?
The Resource Owner Password Flow is intended for use cases where you control both the client application and the resource that it is interacting with.
SCIM Connector
The SCIM connector processes SCIM messages from the provisioning agent, acting as a SCIM server
If JIT settings are enabled for Social IdP then ...?
The Social IdP will be the source of truth for the user's attributes
Scopes specify what ?
The access privileges that are being requested as part of the authorization
Tokens contain claims that are statements about?
The subject (for example: name, role, or email address).
ProxyURL
The url:port for the proxy used by this agent, if any
Rules define particular token lifetimes for a given combination of grant type, user, and scope. AND?
They are evaluated in priority order and once a matching rule is found no other rules are evaluated. If no matching rule is found, then the authorization request fails.
Identity Provider Routing Rules
This feature is also known as IdP Discovery, because these routing rules allow Okta to discover which identity provider to use based on this context.
LDAP error for when request takes longer than 2 minutes to process?
Time limit exceeded
Browser Fingerprint works?
When client logins directly thru Okta sign-widget cookie is stored IF the security image is enabled
Use for API AM #1
Use Case 1 (API Access Management): You need to control API access for a variety of consumers: vendors, employees, and customers, for example.
Know how device trust works with a third party provider
User attempts to access mobile app, the app then redirects to Okta Mobile which checks if device is managed with MDM
IWA Agent: How does the Global Redirect work?
Useful if you have multiple forests. You need to ensure user A on Machine A redirects to IWA agents in forest A. To solve this issue you need to setup a global redirect URL where an on-prem DNS routes to correct endpoint Note: Transition using SSL, and When evaluating IWA logins, Okta checks that the login is from the configured zones.
Password Import Inline Hook performs?
Verifies user supplied password to support migration of users to Okta
Error Code 401 occurs when ?
You attempt to login with invalid credentials
What can I customize on the sign-in page?
You can add any HTML, CSS, or JavaScript to the page that you want. - Headers - Labels - Recovery flow text - External Links
TO customize Okta URL...?
You must first customize the Okta URL domain if you also want to customize the Okta-hosted sign-in page or error pages.
Error Code 429 occurs when?
You exceed Okta rate limit
Trusted applications are backend applications that ?
act as authentication broker or login portal for your Okta organization and may start an authentication or recovery transaction with an administrator API token.
A public application is an application that?
anonymously starts an authentication or recovery transaction without an API token, such as the Okta Sign-In Widget.
Advanced Server Access is
an Okta application that manages access to Linux and Windows servers over SSH & RDP.
The ___ URL initiates the authorization flow that authenticates the user with the Identity Provider.
authorize
The Okta Factors API provides operations to
enroll, manage, and verify factors for multi-factor authentication (MFA). - Manage both administration and end-user accounts, or verify an individual factor at any time.
OAuth 2.0
is a protocol controls authorization to access
Just-in-time migrations
method of creating users on demand as they log in to Okta for the first time. You can perform a just-in-time migration using the inbound federation method or one of two existing database methods.
The Okta Zones API provides operations to
manage zones in your organization.
The Advanced Server Access Client
multi-platform desktop application and command-line tool.
In Advanced Server Access, a team
named group of users who can authenticate with Okta.
Authorization flow is best for ?
server side apps
To manage SSH or RDP access to a server with Advanced Server Access, you will need to install
the Advanced Server Access Agent on that server.