Universal Directory IAM via OIDC using JWT over OAuth2 for API and SWA or SAML SSO Authentication with MFA for identity federation using SCIM in cloud or on-prem
- Social: meet people
- Glossary of Okta’s abbreviations
- Okta for Government
- Okta Products
- Lifecycle Management Processes
- App Integration Wizard
- Groups and Apps
- Okta tech stacks supported
- Free Company Trial Environments
- Okta Certifications
- Okta Certified Consultant (Levels 3)
- Okta Certified Developer
- Okta Virtual Training
- Add Auth to Web Page
Okta [Wiki] enables (using federated authorization) to use your Okta credentials to log into Gmail, Workday, Salesforce, Slack, among thousands of 3rd-party Integrations in their “Okta Application Network”.
NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.
VIDEO: Okta offers API authentication services. Okta Access Gateway provides SSO for on-prem. apps behind a corporate firewall. Okta’s Universal Directory provides context of what groups and roles each user has, for lifecycle management.
Internally, Okta’s services are built on top of the Amazon Web Services (AWS) cloud, using a “multi-cell” architecture where each cell is an identical infrastructure. That is much like how Salesforce works.
Social: meet people
Okta co-founder and CEO Todd McKinnon was previously a vice president at Salesforce, working under Marc Benioff for over five years.
So Okta is based in San Franciso, California VIDEO: Visit their office
The Okta Help Center contains a knowledge library of articles and videos, some of which are pertinent to topics covered on this exam.
The Okta Content Library offers searchable white papers with a rich body of information to explore before your exam.
The Okta Help Center https://support.okta.com
All email submissions default to P3 Severity Level. Please refer to the article in the Okta Help Center for issue severity/priority definitions. To report an urgent technical issue call Okta Support and request to speak with an engineer: US: 1-800-219-0964 AU: 1800 095 441 UK: 0800 808 5574
Glossary of Okta’s abbreviations
- ASA = Advanced Server Access (Okta API product, see https://developer.okta.com/docs/reference/api/asa/introduction/)
- OIC = Okta Identity Cloud
- OIN = Okta Integration Network (catalog of integrations for apps to manage auth and provisioning of users)
- OMM = Okta Mobility Management (for SSO 30 day inactivity token)
- SWA = Secure Web Authentication (Okta’s SSO integration method for any web-based app, evn though which don’t support federated sign-on) Makes use of browser plug-in.
- ACS URL = Assertion Consumer Service such as Salesforce (part of the SAML spec)
- AD = Active Directory (Microsoft)
- CAC/PIV-enabled tools (US DoD/military)
- CORS = Cross-origin resource sharing
- EMS E3 = Microsoft’s Enterprise Mobility + Security suite’s level higher than E3.
- FICAM = Federal Identity, Credential, and Access Management (see https://arch.idmanagement.gov/, https://arch.idmanagement.gov/, https://www.dhs.gov/science-and-technology/icam)
- GA = General Availability (of product)
- JWT = Java Web Token (protocol for authentication by APIs)
- IAM = Identity and Access Management
- IDaaS = Identity as a Service
- ICAM = Identity, Credential, and Access Management (security principles)
- Intune = (Microsoft)
- IdP = Identity Provider (of OIDC)
- LCM = LifeCycle management
- MAM = Microsoft Application Management (Azure)
- Mastered Users ???
- MFA = Multi-Factor Authentication
- NPEs = Non-Person Entities
- OIDC = OpenID Direct Connect (sits on top of OAuth 2.0 to add login profile info, like a badge = JWT ID Token)
- OWA = Outlook Web Access (Microsoft Office 365 SaaS offering at https://outlook.office.com/owa)
- PKCE = Proof Key for Code Exchange (to secure OAuth 2.0 Authz Code grant interception with client sending a code challenge and code challenge method to request, then adding code verifier with Access Token Request. See this & RFC 7636.
- SAML = Security Assertion Markup Language 2.0 (federated authentication protocol)
- SCIM = System for Cross-domain Identity Management (for exchange of user identities in cloud-based apps and services)
- SP = Service Provider (endpoint ACS URL (Assertion Consumer Service) such as Salesforce)
- SSO = Single-Sign-On
- SWA = Secure Web Authentication
- URI =
- URL = Address of the Entity that
- WS-FED = WS-Federation (authentication protocol)
https://oauth2simplified.com/course by Aaron Parecki, Senior Security Architect at Okta and author of website Oauth.NET. In 3.5 hours it covers OAuth 2.0, OpenID, PKCE, deprecated flows, JWTs, API Gateways, and scopes.
Okta for Government
Okta is a FedRAMP ATO
Among https://aka.ms/AzureGovVideos Overview of Managed Identities on Azure Government
support.okta.com/help Okta Community to review questions, discussions, ideas, and blogs for additional exam preparation.
developer.okta.com/docs groups topics within “Concepts”.
On-demand: Launch 30m Identity and Access Management with Okta: An Introduction Review directories basics and their role in IAM. Explain the evolution of Single Sign-On. Define the process involved in Identity Federation. Understand the Lifecycle Management challenges that IT and HR teams deal with daily. Identify the benefits of Multi-factor Authentication (MFA).
15m VIDEO: Introduction to Customer Identity with Okta
- Microsoft Azure Active Directory
- AWS Cognito
- Oracle Enterprise SSO
- IBM Security
- Auth0 (acquired by Okta March 4, 2021)
- Duo MFA
- CA Technologies
- Ping Identity
- MicroFocus (NetIQ)
- Tools4ever HelloID
Okta supports Windows Hello for Microsoft Edge. ???
Okta supports Voice Call Authentication.
OIN pre-integration does not include network zones.
Oauth vs Microsoft Azure
- “risky sign-in” from a Tor web-browser aka “proxy” web browser commonly used by threat actors.
- “impossible signon” situations such as login a few minutes after signing in from thousands of miles away.
- monitor the Dark Web for leaks of credentials (account names and passwords).
Okta locks a user out after 5 unsuccessful authentication attempts.
Noteworthy items within marketing pages by product:
- Okta Browser plugin
- Not managed by sign-on policy.
- No option is configurable on a specific browser
Okta “Universal Directory” supports these profile types:
- Application User Profile
- Directory User Profile
- Identitify Provider User Profile
- Okta User Profile
- (not “Mandatory Profile”, profile mastering not supported by Okta)
Okta Verify “Adaptive” MFA factor: challenge sent to authenticator app on Android and iOS mobile phones.
Other MFA is SMS Authenticaton and Security Question (different than account lock-out remediation).
Okta Mobile “Mobility management” for SSO
Okta Access Gateway - Embed modern authentication into web apps, secure access to on-prem apps, and protect hybrid clouds.
- Okta API Access Management is an Authorization Server using OAuth2 and OpenID Connect context to federate access to apps using OpenID Connect, or automate accessing APIs using access tokens within OAuth. Access Management extends Universal Directory to any API you manage via policies. Near real-time access management is passed along with permissions (Scopes) and Claims assigned:
- User Profile
- Group Memberships
- IP Address
- User or Admin Consent
Okta API Access Management provides APIs and SDKs to handle authentication and authorization aspects of API access from API Gateways (MuleSoft, Apigee, CA, etc.)
- API Authorization Policy management
Lifecycle Management Processes
Lifecycle Management provisioning using SCIM
- New user (employee)
- Provision account with groups, roles, permissions
- Enforce authentication
- Update for changes in group, role (promotion, demotion, reloction)
- Offboard (deactivate)
Password: Create, Update, Deactivate, Sync.
REMEMBER: Okta does not currently support impersonation.
Okta Enrollment Policy
Workflows - Automate identity-centric processes like employee onboarding and offboarding using conditional logic.
- Automation, Event Hooks, Inline Hooks
Advanced Server Access - Zero Trust access management - manages SSH and RDP access to Linux and Windows servers by team tenant.
brew search okta ==> Formulae aws-okta ==> Casks okta-advanced-server-access
QUESTION: is there an azure-okta?
App Integration Wizard
Creates apps as part of the App Request & Approval workflow which enables users to request access to applications (to integrate).
Groups and Apps
- Currently Okta cannot assign specific factors for use at the application level.
Okta groups do NOT impact creation of custom apps.
- Default policy is always the last policy evaluated. Only the outcome can be modified.
- Users cannot be forced to enroll in another factor type before reset.
An App Embed link: an Okta generated URL flow is IdP initiated instead of SP initiated.
- Okta Admins cannot renew an API token - only users.
Okta tech stacks supported
- .NET (C#)
- React Native
Localization of hooks to Okta events: Email templates & SMS responses in over 20 human languages.
Free Company Trial Environments
Apply for a 30-day trial using your work email:
The above free trial enable you to import up to 10,000 users and activate up to 100 of them to use up to 50 apps.
The Okta form combined your company name to create a URL such as:
Click “GET STARTED” in the email.
Notice your email address login, such as: email@example.com
You’ll get a “Welcome to the Okta Community” email on that work email address.
You don’t have an email so:
The email “Account password reset”
“At this time your password can only be reset by an administrator. To send them a request, go to your Sign-in Help page. Then click the Request help link.
Click on url to open your “https://xyz.okta.com/”
Type your email and password.
Legacy Admin Dashboard
Admin Experience Redesign
|Items:||Dashboard:|| People (status, User: Applications, Groups, Profile attributes),|
, Profile Editor,
| Applications: (Sign On, Mobile, Provisioning, Import, Assignments),|
Emails & SMS,
|Each:||-||Indiv. User: Applications, Groups, Profile (attributes) Groups: Rules||Indiv. App: Provisioning: Update User Attributes, Deactivate Users||MFA Factor Types, Factor Enrollment||-||-||General: App Setttings, VPN Notification, App Embed Link|
To summarize app usage and org activity and notifies you of any problems or outstanding work to be completed. It also provides shortcuts to the most commonly performed tasks.
People States: ONBOARDING:
- Pending user action ACTIVE:
- Password reset
- Locked out INACTIVE:
In Salesforce, a “Chatter free user” does not have a license to use the Saleforce Chatter messaging app.
Proctored online exams - Take an Okta Certification Exam 24 x 7
Okta Certified Professional (Level 1)
Okta Certified Professionals possess knowledge about secure identity management and mobility concepts. They have hands-on experience completing day-to-day operational tasks to support users of the Okta service. Professionals have familiarity with Okta technology and processes related to simple directory integration, single-sign on federation, and application provisioning aspects of User Life Cycle Management.”
It’s also for Security Engineers.
For $250 USD, answer 60 questions in 90 minutes.
<a target=”_blank”” href=”“https://sei.caveon.com/launchpad/?exam=okta-professional-practice-exam”> Okta Professional Practice Exam</a> has 20 questions in 45 mintues with the look and feel of the actual exam, but with correct answers with feedback explanations. The DOMC (Discrete Option Multiple-Choice) means you can’t go back to previous questions. That’s explained in the AWESOME: Professional Exam Study Guide contains topic-specific deep links to docs for each exam area.
(At Okta’s annual user conference named “Oktane21.com” in 2021, etc. a one-day boot-camp plus Pro exam is $299: https://okta.csod.com/ui/lms-learning-details/app/event/71f091e1-9dd6-48d2-a864-90580fb8a9c3 https://www.okta.com/training/okta-professional-certification-exam-prep-webinar
- VIDEO sneak peak of the prep sess
- YOUTUBE: Okta Certificate Professional Fast Track Overview
- Manage Okta Mastered Users
- Integrate Okta with Active Directory Mastered Users
- Integrate Okta with LDAP Mastered Users
- Manage Application Single Sign-On (SSO)
- Automate Lifecycle Management
- Implement Multi-factor Authentication (MFA)
- Configure Office 365 with Okta
- Okta Mobile Setup and Administration
- Configure Universal Directory and User Profiles
- Okta End User Support
- Navigating the Okta Help Center
- creating user accounts,
setting up applications,
- managing profiles,
- implementing MFA, and
offboarding users in Okta.
- giving out admin rights
- setting up group membership
- configuring provisioning
- configuring lifecycle management
Okta Certified Administrator (Level 2)
Okta Certified Administrators are technically proficient at managing the Okta service.
They have extensive knowledge about how Okta enables advanced User Lifecycle Management scenarios involving mobile devices, security policy frameworks, supported SSO options, and advanced directory integration for cloud and on-premise access. Administrators use the Okta Policy framework to control user access, understand how to map identity attributes and data transformations using Universal Directory, and troubleshoot issues.
For $250 USD, answer 60 questions in 90 minutes. In order to sit for this certification, you must first pass both the Okta Professional Exam and the Okta Administrator Exam.
Administrator Exam Study Guide lists topic-specific deep links to <a target=”_blank” href= https://www.okta.com/resources/administrator-exam-study-guide/#administrator-exam-subject-areas-12”> each topic</a>:
- Identity and Access Management 25%
- Advanced Directory Integration
- Single Sign-On (SSO) Federation
- Desktop SSO deployment
- Hybrid SaaS strategies and challenges
Okta Certified Consultant (Levels 3)
Okta Certified Consultants are technically proficient at implementing the Okta service in a variety of configurations. Consultants have experience integrating common applications, such as, Office 365, G Suite, Box, and Salesforce with Okta. They also have extensive knowledge and experience scoping and implementing complex Okta integrations involving multi-forest and multi-domain environments, advanced single sign-on (SSO), and inbound federation with Okta. Consultants have working knowledge of Okta APIs and custom configuration options.
For $300 USD, answer 60 questions in 90 minutes. In order to achieve this certification, you must pass the Okta Professional Exam, the Okta Administrator Exam and the Okta Consultant Exam.
- Advanced Security: Protect the Modern Perimeter with Okta
Okta Certified Developer
Okta Certified Developers builds and customizes.
For $250 USD, answer 40 questions in 60 minutes, then 4 performance-based use cases in 90 minutes.
https://github.com/okta/okta-developer-docs by Arvind Krishnakumar
- Free https://www.okta.com/training/okta-developer-certification-exam-prep-webinar
- Okta Customer Identity for Developers
- SSO Enable Custom Apps with Sites with OIDC
- API Access Management with OAuth
Get a free account at
- In email, activate Developer Account. Customize Goals.
Get a Developer Forum account at
- Confirm via email.
“Procode” in Okta’s SDK and REST APIs.
Edit a widget in real time at https://developer.okta.com/live-widget
Okta Virtual Training
$825 per day, $1,650 for 2 days
Okta Essentials - 2 Days
Migrate and Integrate Your Users with Okta - 1 Day
Okta Customer Identity for Developers - 2 Days
Advanced Mastering Techniques with Okta - 1 Day
Advanced Security: Protect the Modern Perimeter with Okta - 2 Days
An Illustrated Guide to OAuth and OpenID Connect.
Add Auth to Web Page
https://www.okta.com/sites/default/files/2021-02/Okta-Certified-Professional-Fast-Track-Overview-Guide.pdf Fast Track Overview Guide
Email addresses oktaice.com domain not reachable use oktane 212000.com unique to session.
Okta-Sourced Users means registration data originated from another source. Organization: Reseller: Global Ice Cream Inc.
OEL (Okta Expression Language) is largely Regex.
So IDP-initiated = log into OKTA first then launch app, and SP-initialed = go to SP web directly and be redirected to OKTA to authenticate?