Okta

Universal Directory IAM via OIDC using JWT over OAuth2 for API and SWA or SAML SSO Authentication with MFA for identity federation using SCIM in cloud or on-prem

                       

Overview

• Social: meet people
• Glossary of Okta’s abbreviations
  • Industry Acronyms
• Okta for Government
• Documentation
• Competitors
• Integrations
  • Oauth vs Microsoft Azure
• Okta Products
• Lifecycle Management Processes
• App Integration Wizard
• Groups and Apps
• Okta tech stacks supported
• Persona
• Free Company Trial Environments
  • Okta UI
• Okta Certifications
  • Okta Certified Professional (Level 1)
  • Okta Certified Administrator (Level 2)
• Okta Certified Consultant (Levels 3)
• Okta Certified Developer
  • Developer Onboarding
• Okta Virtual Training
  • Okta API
• Add Auth to Web Page
• References

Okta [Wiki] enables (using federated authorization) to use your Okta credentials to log into Gmail, Workday, Salesforce, Slack, among thousands of 3rd-party Integrations in their “Okta Application Network”.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

VIDEO: Okta offers API authentication services. Okta Access Gateway provides SSO for on-prem. apps behind a corporate firewall. Okta’s Universal Directory provides context of what groups and roles each user has, for lifecycle management.

Internally, Okta’s services are built on top of the Amazon Web Services (AWS) cloud, using a “multi-cell” architecture where each cell is an identical infrastructure. That is much like how Salesforce works.

Social: meet people

Okta co-founder and CEO Todd McKinnon was previously a vice president at Salesforce, working under Marc Benioff for over five years.

So Okta is based in San Franciso, California VIDEO: Visit their office

Okta’s YouTube channel

https://twitter.com/oktadev

The Okta Help Center contains a knowledge library of articles and videos, some of which are pertinent to topics covered on this exam.

The Okta Content Library offers searchable white papers with a rich body of information to explore before your exam.

Okta API in Postman

The Okta Help Center https://support.okta.com

All email submissions default to P3 Severity Level. Please refer to the article in the Okta Help Center for issue severity/priority definitions. To report an urgent technical issue call Okta Support and request to speak with an engineer: US: 1-800-219-0964 AU: 1800 095 441 UK: 0800 808 5574

Glossary of Okta’s abbreviations

https://help.okta.com/en/prod/Content/Topics/Reference/glossary.htm

• ASA = Advanced Server Access (Okta API product, see https://developer.okta.com/docs/reference/api/asa/introduction/)
• OIC = Okta Identity Cloud
• OIN = Okta Integration Network (catalog of integrations for apps to manage auth and provisioning of users)
• OMM = Okta Mobility Management (for SSO 30 day inactivity token)
• SWA = Secure Web Authentication (Okta’s SSO integration method for any web-based app, evn though which don’t support federated sign-on) Makes use of browser plug-in.

Industry Acronyms

• ACS URL = Assertion Consumer Service such as Salesforce (part of the SAML spec)
• AD = Active Directory (Microsoft)
• CAC/PIV-enabled tools (US DoD/military)
• CORS = Cross-origin resource sharing
• EMS E3 = Microsoft’s Enterprise Mobility + Security suite’s level higher than E3.
• FICAM = Federal Identity, Credential, and Access Management (see https://arch.idmanagement.gov/, https://arch.idmanagement.gov/, https://www.dhs.gov/science-and-technology/icam)
• GA = General Availability (of product)
• JWT = Java Web Token (protocol for authentication by APIs)
• IAM = Identity and Access Management
• IDaaS = Identity as a Service
• ICAM = Identity, Credential, and Access Management (security principles)
• Intune = (Microsoft)
• IdP = Identity Provider (of OIDC)
• IWA
• LCM = LifeCycle management
• MAM = Microsoft Application Management (Azure)
• Mastered Users ???
• MFA = Multi-Factor Authentication
• NPEs = Non-Person Entities
• OIDC = OpenID Direct Connect (sits on top of OAuth 2.0 to add login profile info, like a badge = JWT ID Token)
• OWA = Outlook Web Access (Microsoft Office 365 SaaS offering at https://outlook.office.com/owa)
• PKCE = Proof Key for Code Exchange (to secure OAuth 2.0 Authz Code grant interception with client sending a code challenge and code challenge method to request, then adding code verifier with Access Token Request. See this & RFC 7636.
• SAML = Security Assertion Markup Language 2.0 (federated authentication protocol)
• SCIM = System for Cross-domain Identity Management (for exchange of user identities in cloud-based apps and services)
• SP = Service Provider (endpoint ACS URL (Assertion Consumer Service) such as Salesforce)
• SSO = Single-Sign-On
• SWA = Secure Web Authentication
• URI =
• URL = Address of the Entity that
• WS-FED = WS-Federation (authentication protocol)
  
  

https://oauth2simplified.com/course by Aaron Parecki, Senior Security Architect at Okta and author of website Oauth.NET. In 3.5 hours it covers OAuth 2.0, OpenID, PKCE, deprecated flows, JWTs, API Gateways, and scopes.

Okta for Government

https://www.okta.com/blog/tag/government

https://www.okta.com/solutions/government-agencies/

Okta is a FedRAMP ATO

Kelsey Nelson, Senior Manager of Product Solutions, Okta

Among https://aka.ms/AzureGovVideos Overview of Managed Identities on Azure Government

https://www.fedscoop.com/workforce/

Documentation

support.okta.com/help Okta Community to review questions, discussions, ideas, and blogs for additional exam preparation.

developer.okta.com/docs groups topics within “Concepts”.

On-demand: Launch 30m Identity and Access Management with Okta: An Introduction Review directories basics and their role in IAM. Explain the evolution of Single Sign-On. Define the process involved in Identity Federation. Understand the Lifecycle Management challenges that IT and HR teams deal with daily. Identify the benefits of Multi-factor Authentication (MFA).

15m VIDEO: Introduction to Customer Identity with Okta

Competitors

• Microsoft Azure Active Directory
• AWS Cognito
• Oracle Enterprise SSO
• IBM Security

• Salesforce Identity

• Auth0 (acquired by Okta March 4, 2021)
• Duo MFA
• CA Technologies
• Ping Identity
• SailPoint
• Centrify
• MicroFocus (NetIQ)
• OneLogin
• Tools4ever HelloID
• miniOrange
• LoginRadius
• ForgeRock

Integrations

Okta supports Windows Hello for Microsoft Edge. ???

Okta supports Voice Call Authentication.

OIN pre-integration does not include network zones.

Oauth vs Microsoft Azure

VIDEO, BLOG: As of April 2021, Microsoft Azure AD (Premium P2) identifies some situations that Okta does not: VIDEO:

• “risky sign-in” from a Tor web-browser aka “proxy” web browser commonly used by threat actors.
• “impossible signon” situations such as login a few minutes after signing in from thousands of miles away.
• monitor the Dark Web for leaks of credentials (account names and passwords).
  
  

6 Reasons Microsoft Customers Choose Okta

Okta locks a user out after 5 unsuccessful authentication attempts.

Okta Products

Noteworthy items within marketing pages by product:

1. Okta Browser plugin
   • Not managed by sign-on policy.
   • No option is configurable on a specific browser

2. Okta “Universal Directory” supports these profile types:

   • Application User Profile
   • Directory User Profile
   • Identitify Provider User Profile
   • Okta User Profile
   • (not “Mandatory Profile”, profile mastering not supported by Okta)
     
     

3. Okta Verify “Adaptive” MFA factor: challenge sent to authenticator app on Android and iOS mobile phones.

   Other MFA is SMS Authenticaton and Security Question (different from account lock-out remediation).

4. Okta Mobile “Mobility management” for SSO

5. Okta Access Gateway - Embed modern authentication into web apps, secure access to on-prem apps, and protect hybrid clouds.

6. Okta API Access Management is an Authorization Server using OAuth2 and OpenID Connect context to federate access to apps using OpenID Connect, or automate accessing APIs using access tokens within OAuth. Access Management extends Universal Directory to any API you manage via policies. Near real-time access management is passed along with permissions (Scopes) and Claims assigned:
   • User Profile
   • Group Memberships
   • IP Address
   • Clients
   • User or Admin Consent
   • etc.
     
     

   Okta API Access Management provides APIs and SDKs to handle authentication and authorization aspects of API access from API Gateways (MuleSoft, Apigee, CA, etc.)

   • API Authorization Policy management

Lifecycle Management Processes

Joiner/Mover/Leaver

Lifecycle Management provisioning using SCIM

1. New user (employee)
2. Provision account with groups, roles, permissions
3. Enforce authentication
4. Update for changes in group, role (promotion, demotion, reloction)
5. Offboard (deactivate)

Password: Create, Update, Deactivate, Sync.

REMEMBER: Okta does not currently support impersonation.

Okta Enrollment Policy

Workflows - Automate identity-centric processes like employee onboarding and offboarding using conditional logic.

• Automation, Event Hooks, Inline Hooks

Advanced Server Access - Zero Trust access management - manages SSH and RDP access to Linux and Windows servers by team tenant.

brew search okta
==> Formulae
aws-okta
==> Casks
okta-advanced-server-access
   

QUESTION: is there an azure-okta?

App Integration Wizard

Creates apps as part of the App Request & Approval workflow which enables users to request access to applications (to integrate).

Groups and Apps

REMEMBER:

• Currently Okta cannot assign specific factors for use at the application level.

• Okta groups do NOT impact creation of custom apps.
  
  

• Default policy is always the last policy evaluated. Only the outcome can be modified.
• Users cannot be forced to enroll in another factor type before reset.

• An App Embed link: an Okta generated URL flow is IdP initiated instead of SP initiated.

• Okta Admins cannot renew an API token - only users.

Okta tech stacks supported

• Android
• Angular
• .NET (C#)
• Go
• iOS
• JavaScript
• Java
• Node.js
• PHP
• Python
• React
• React Native
• Vue.js
• Other

---

Persona

By persona:

• Admin
• Developer
• End users

Localization of hooks to Okta events: Email templates & SMS responses in over 20 human languages.

Free Company Trial Environments

1. Apply for a 30-day trial using your work email:

   https://okta.com/free-trial

   The above free trial enable you to import up to 10,000 users and activate up to 100 of them to use up to 50 apps.

   https://www.okta.com/free-trial/FRT/

   The Okta form combined your company name to create a URL such as:

   https://xyz.okta.com

2. Click “GET STARTED” in the email.

   Notice your email address login, such as: johndoe@xyz.com

   You’ll get a “Welcome to the Okta Community” email on that work email address.

3. You don’t have an email so:

   https://xyz.okta.com/signin/forgot-password

4. The email “Account password reset”

   “At this time your password can only be reset by an administrator. To send them a request, go to your Sign-in Help page. Then click the Request help link.

   https://xyz.okta.com/help/login

   QUESTION:

5. Click on url to open your “https://xyz.okta.com/”

6. Type your email and password.

Okta UI

Legacy Admin Dashboard

Admin Experience Redesign

Menu:	Dashboard	Directory	Applications	Security	Workflow	Reports	Settings
Items:	Dashboard:	People (status, User: Applications, Groups, Profile attributes), Groups: (Rules) , Profile Editor, Directory Integrations, Self-Service Registration, Profile Sources	Applications: (Sign On, Mobile, Provisioning, Import, Assignments), Self-Service	General, HealthInsight, Authentication, Multifactor, Identity Providers, Delegation Authentication, Networks, Behavior Detection, Device Trust, Administrators, API	Workflow:	Reports:	Account, Features, Appearance, Customization, Emails & SMS, Downloads
Each:	-	Indiv. User: Applications, Groups, Profile (attributes) Groups: Rules	Indiv. App: Provisioning: Update User Attributes, Deactivate Users	MFA Factor Types, Factor Enrollment	-	-	General: App Setttings, VPN Notification, App Embed Link

To summarize app usage and org activity and notifies you of any problems or outstanding work to be completed. It also provides shortcuts to the most commonly performed tasks.

People States: ONBOARDING:

• Staged
• Pending user action ACTIVE:
• Active
• Password reset
• Locked out INACTIVE:
• Suspended
• Deactivated
  
  

In Salesforce, a “Chatter free user” does not have a license to use the Saleforce Chatter messaging app.

---

Okta Certifications

Proctored online exams - Take an Okta Certification Exam 24 x 7

PDF: Certified Program Handbook

https://www.okta.com/services/certification/

https://www.okta.com/services/certification/keepcurrent

Okta Certified Professional (Level 1)

Okta Certified Professionals possess knowledge about secure identity management and mobility concepts. They have hands-on experience completing day-to-day operational tasks to support users of the Okta service. Professionals have familiarity with Okta technology and processes related to simple directory integration, single-sign on federation, and application provisioning aspects of User Life Cycle Management.”

It’s also for Security Engineers.

For $250 USD, answer 60 questions in 90 minutes.

<a target=”_blank” href=”“https://sei.caveon.com/launchpad/?exam=okta-professional-practice-exam”> Okta Professional Practice Exam</a> has 20 questions in 45 mintues with the look and feel of the actual exam, but with correct answers with feedback explanations. The DOMC (Discrete Option Multiple-Choice) means you can’t go back to previous questions. That’s explained in the AWESOME: Professional Exam Study Guide contains topic-specific deep links to docs for each exam area.

(At Okta’s annual user conference named “Oktane21.com” in 2021, etc. a one-day boot-camp plus Pro exam is $299: https://okta.csod.com/ui/lms-learning-details/app/event/71f091e1-9dd6-48d2-a864-90580fb8a9c3 https://www.okta.com/training/okta-professional-certification-exam-prep-webinar

• VIDEO sneak peak of the prep sess
• YOUTUBE: Okta Certificate Professional Fast Track Overview
• https://www.okta.com/sites/default/files/2021-02/Okta-Certified-Professional-Fast-Track-Overview-Guide.pdf
  
  

Other Practice Exams: [Not McK] $20 practice test

UDEMY: Getting started with Okta McK by Tom Mitchell

• Manage Okta Mastered Users
• Integrate Okta with Active Directory Mastered Users
• Integrate Okta with LDAP Mastered Users
• Manage Application Single Sign-On (SSO)
• Automate Lifecycle Management
• Implement Multi-factor Authentication (MFA)
• Configure Office 365 with Okta
• Okta Mobile Setup and Administration
• Configure Universal Directory and User Profiles
• Okta End User Support
• Navigating the Okta Help Center
  
  

Skills:

• creating user accounts,

• setting up applications,

• managing profiles,
• implementing MFA, and

• offboarding users in Okta.

• giving out admin rights
• setting up group membership
• configuring provisioning
• configuring lifecycle management
  
  

Okta Certified Administrator (Level 2)

Okta Certified Administrators are technically proficient at managing the Okta service.

They have extensive knowledge about how Okta enables advanced User Lifecycle Management scenarios involving mobile devices, security policy frameworks, supported SSO options, and advanced directory integration for cloud and on-premise access. Administrators use the Okta Policy framework to control user access, understand how to map identity attributes and data transformations using Universal Directory, and troubleshoot issues.

For $250 USD, answer 60 questions in 90 minutes. In order to sit for this certification, you must first pass both the Okta Professional Exam and the Okta Administrator Exam.

Administrator Exam Study Guide lists topic-specific deep links to <a target=”_blank” href= https://www.okta.com/resources/administrator-exam-study-guide/#administrator-exam-subject-areas-12”> each topic</a>:

• Identity and Access Management 25%
• Advanced Directory Integration
• Single Sign-On (SSO) Federation
• Desktop SSO deployment
• Hybrid SaaS strategies and challenges
• Architecture
• etc.

Okta Certified Consultant (Levels 3)

Okta Certified Consultants are technically proficient at implementing the Okta service in a variety of configurations. Consultants have experience integrating common applications, such as, Office 365, G Suite, Box, and Salesforce with Okta. They also have extensive knowledge and experience scoping and implementing complex Okta integrations involving multi-forest and multi-domain environments, advanced single sign-on (SSO), and inbound federation with Okta. Consultants have working knowledge of Okta APIs and custom configuration options.

For $300 USD, answer 60 questions in 90 minutes. In order to achieve this certification, you must pass the Okta Professional Exam, the Okta Administrator Exam and the Okta Consultant Exam.

topic-specific deep links to each topic:

• Mastering
  
  

Classes:

• Advanced Security: Protect the Modern Perimeter with Okta

Okta Certified Developer

Okta Certified Developers builds and customizes.

For $250 USD, answer 40 questions in 60 minutes, then 4 performance-based use cases in 90 minutes.

https://github.com/okta/okta-developer-docs by Arvind Krishnakumar

Classes:

• Free https://www.okta.com/training/okta-developer-certification-exam-prep-webinar
• Okta Customer Identity for Developers
• SSO Enable Custom Apps with Sites with OIDC
• API Access Management with OAuth
  
  

Developer Onboarding

1. Get a free account at

   developer.okta.com/signup

   developers@okta.com

2. In email, activate Developer Account. Customize Goals.

3. Get a Developer Forum account at

   devforum.okta.com

4. Confirm via email.

Okta Virtual Training

FREE: https://www.okta.com/training/okta-basics-curriculum-for-workforce-identity

• Identity and Access Management with Okta: An Introduction
• Introduction to Workforce Identity
• Manage Okta-Sourced Users
• Integrate Okta with Active Directory-Sourced Users
• Integrate Okta with LDAP-Sourced Users
• Manage Application Single Sign-On (SSO)
• Automate Lifecycle Management
• Workflows: Automate Identity-Specific Tasks without Requiring Code
• Implement Multifactor Authentication (MFA)
• Configure Office 365 with Okta
• Manage API Access with Okta
• Enable Secure Access to Linux Servers with Advanced Server Access
• Protect On-Prem Applications with Okta’s Access Gateway
• Configure Universal Directory and User Profiles
• Okta End User Support
• Navigating the Okta Help Center
  
  

Live trainings: $825 per day, $1,650 for 2 days

• Okta Essentials - 2 Days
• Migrate and Integrate Your Users with Okta - 1 Day
• Okta Customer Identity for Developers - 2 Days
• Advanced Mastering Techniques with Okta - 1 Day
• Advanced Security: Protect the Modern Perimeter with Okta - 2 Days
• An Illustrated Guide to OAuth and OpenID Connect.

---

Okta API

“Procode” in Okta’s SDK and REST APIs.

https://developer.okta.com/docs/reference/

Edit a widget in real time at https://developer.okta.com/live-widget

Add Auth to Web Page

https://www.youtube.com/watch?v=uPFirakhBtQ&t=210s

References

https://www.okta.com/sites/default/files/2021-02/Okta-Certified-Professional-Fast-Track-Overview-Guide.pdf Fast Track Overview Guide

Email addresses oktaice.com domain not reachable use oktane 212000.com unique to session.

Okta-Sourced Users means registration data originated from another source. Organization: Reseller: Global Ice Cream Inc.

OEL (Okta Expression Language) is largely Regex.

So IDP-initiated = log into OKTA first then launch app, and SP-initialed = go to SP web directly and be redirected to OKTA to authenticate?

---