Security AUth

Question 1

When should you use SAML for SSO federation?

Answer 1

For modern enterprise applications that support federated protocols. SAML is an XML-based standard for exchanging authentication and authorization data between Identity Provider (IdP) and Service Provider (SP). Credentials never leave Okta, making it more secure than SWA.

Question 2

What is the primary use case for WS-Federation (WS-Fed)?

Answer 2

Legacy Windows-based web applications and Microsoft Office 365. WS-Fed is an XML-based protocol using encrypted SOAP messages. It’s more secure than SWA and doesn’t require separate passwords for Office 365.

Question 3

When is SWA (Secure Web Authentication) the appropriate choice?

Answer 3

For applications that don’t support federated protocols like SAML, WS-Fed, or OIDC. SWA is Okta’s proprietary technology where username/password are passed to the third-party app and stored encrypted with AES-256.

Question 4

What makes OIDC different from other federation protocols?

Answer 4

OIDC (OpenID Connect) is built on OAuth 2.0 framework and allows different systems to share authentication state and user profile information. It’s the modern standard for web and mobile applications.

Question 5

What are the three main components of Okta Active Directory integration?

Answer 5

1) Okta AD Agent (lightweight agent on Windows Server), 2) Delegated Authentication (AD authenticates users through Okta), 3) Directory Sync (real-time synchronization between AD and Okta).

Question 6

What is the difference between POC and Enterprise AD integration deployment?

Answer 6

POC: Simple agent install, basic user import, minimal configuration for testing. Enterprise: Requires planning, high availability, disaster recovery considerations, and careful attribute mapping configuration.

Question 7

What is Just-In-Time (JIT) provisioning in AD integration?

Answer 7

Automatic user creation in Okta during first login. Requires Delegated Authentication to be enabled. Can be used with or without scheduled imports to streamline user onboarding.

Question 8

What is the purpose of Universal Security Group (USG) support?

Answer 8

Allows Okta to ignore domain boundaries when importing group memberships, enabling cross-domain group membership management in multi-domain AD environments.

Question 9

What is the primary purpose of Okta Universal Directory?

Answer 9

Centralized platform for managing user identities from multiple sources. Provides unified view of all users and attributes, integrating with AD, LDAP, HR systems, and cloud applications as a core component of Okta Identity Cloud.

Question 10

What are custom attributes and mappings in Universal Directory?

Answer 10

Custom attributes allow flexible user attribute definition (job titles, departments, locations). Mappings define how data flows between systems. Data transformation cleans and reconciles data during provisioning.

Question 11

How does real-time synchronization work in Universal Directory?

Answer 11

Changes made in AD, LDAP, or other connected systems are synchronized instantly with Okta. When an admin deactivates a user in Okta, the user’s record in AD is also deactivated immediately.

Question 12

What are the three main MFA factor types in Okta?

Answer 12

1) Possession: Something you have (phone, email, hardware token), 2) Knowledge: Something you know (password, security questions), 3) Biometric: Something you are (fingerprint, face recognition).

Question 13

What are the key method characteristics for MFA factors?

Answer 13

Device-bound (associated with specific device), Hardware-protected (requires physical device), Phishing-resistant (can’t be shared in phishing attacks), User presence (requires human interaction), User verifying (proves specific user).

Question 14

Which factors are considered phishing-resistant?

Answer 14

WebAuthn/FIDO2, Okta Verify with FastPass, and hardware tokens like YubiKey. These factors don’t provide authentication data that users can share with attackers.

Question 15

What is the difference between Okta Verify push and TOTP?

Answer 15

Push: Real-time notification to user’s device requiring approval. TOTP (Time-based One-Time Password): Time-sensitive codes generated by the app. Both are more secure than SMS but push is more user-friendly.

Question 16

What are the main types of Okta policies?

Answer 16

Authentication Policies (app authentication requirements), Global Session Policies (session behavior), Authenticator Enrollment Policies (factor enrollment management), Password Policies (complexity/lockout rules), Device Assurance Policies (device-based access control).

Question 17

How do policy rules work in Okta?

Answer 17

Rules are evaluated in priority order. Each rule has conditions (when it applies) and actions (what happens). Once a rule matches, evaluation stops. Default policies always exist as fallback and cannot be deleted.

Question 18

What is an Authenticator Enrollment Policy?

Answer 18

Defines which authenticators are required, optional, or disabled for specific user groups. Also controls when and how users can enroll factors, including grace periods for required factor enrollment.

Question 19

What are grace periods in enrollment policies?

Answer 19

Designated time allowing users to enroll required authenticators without blocking access. Configured per-authenticator to minimize sign-in friction during onboarding and factor rollouts.

Question 20

What is Okta FastPass and its key benefits?

Answer 20

Phishing-resistant, passwordless authenticator using public key cryptography. Eliminates passwords, provides device-bound authentication, supports biometric verification, and meets FedRAMP High/NIST AAL3 requirements.

Question 21

What platforms support Okta FastPass?

Answer 21

Android, iOS, macOS, and Windows. Requires latest Okta Verify app with account created on the device. Provides consistent passwordless experience across all supported platforms.

Question 22

What’s the difference between FastPass 1FA and 2FA?

Answer 22

1FA: Silent authentication without user interaction (device presence only). 2FA: Requires user verification through biometrics (Touch ID, Face ID, fingerprint) proving specific user identity.

Question 23

How does Okta FastPass enrollment work?

Answer 23

Multiple methods: Inline enrollment during normal authentication, QR code scanning from authenticated desktop device, or first-time activation using email magic link, SMS, or password (if still used).

Question 24

What is the recommended authentication policy structure for passwordless?

Answer 24

Rule 1: Managed devices with secure hardware (any 2 factors). Rule 2: Unmanaged devices (any factor except phone/email). Rule 3: Catch-all deny rule. Most restrictive rule at top, catch-all at bottom.

Question 25

What are device assurance policies?

Answer 25

Control access based on device security state using signals from Okta Verify and/or third-party integrations (Tanium, CrowdStrike, Windows Security Center). Can be created once and reused in multiple authentication rules.

Question 26

How do you configure phishing-resistant authentication?

Answer 26

Set authentication policy rules requiring phishing-resistant factors (WebAuthn, Okta FastPass). Configure constraints in rules to verify authentication requests don't come from malicious sites.

Question 27

What are the key considerations for MFA factor reset procedures?

Answer 27

Provide both admin and self-service reset options. Use strong factors for account recovery (avoid email-only as it's easily compromised). Configure backup factors for when primary authenticators are unavailable.

Question 28

How should you structure MFA enrollment for different user groups?

Answer 28

Create specific enrollment policies per group. Set required factors based on security needs, optional factors for flexibility, and disabled factors to prevent weak authentication methods.

Question 29

What is the recommended approach for MFA rollouts?

Answer 29

Start with optional enrollment, use grace periods to allow gradual adoption, test in preview environment, provide user training, have support procedures for enrollment issues.

Question 30

What factors should be avoided for account recovery and why?

Answer 30

Email-only recovery should be avoided because user credential compromise often leads to email compromise. Security questions are weak knowledge factors. Use device-bound or biometric factors for recovery instead.

Question 31

How do you implement Zero Trust with Okta authentication policies?

Answer 31

Use device assurance policies, require phishing-resistant factors for sensitive apps, implement network zone restrictions, continuous device verification, and assume no prior knowledge about authenticating users.

Question 32

What are the best practices for sensitive application access?

Answer 32

Require phishing-resistant authenticators with biometric verification, implement step-up authentication, use device assurance signals, restrict network access zones, and enable continuous device verification.

Question 33

What is DirSync in Active Directory integration?

Answer 33

Feature that enables incremental imports with AD, significantly improving performance. When enabled, next import is full import to establish baseline, then subsequent imports are delta/incremental only.

Question 34

How do you handle nested groups in AD integration?

Answer 34

Regular imports may miss child groups outside OU scope, causing membership inconsistencies. JIT provisioning correctly resolves "flat" memberships. USG support helps with cross-domain group memberships.

Question 35

What are the requirements for Okta AD Agent installation?

Answer 35

Windows Server 2016+, domain-joined server, minimum 2 CPUs and 8GB RAM, domain administrator privileges for installation, outbound-only firewall configuration (no inbound ports needed).

Question 36

What happens when a user fails multiple MFA challenges across different factor types?

Answer 36

Okta counts failed MFA challenges across all factor types. After reaching the configured threshold, Okta locks the user account. AD-sourced users can use Okta Self Service to unlock, but LDAP-sourced users must contact administrators.

Question 37

What is the difference between "Require user interaction" and "Require PIN or biometric user verification" in FastPass policies?

Answer 37

Require user interaction: Users must approve an Okta Verify prompt. Require PIN or biometric: Users must complete biometrics or PIN verification to access resources. The second option provides stronger authentication assurance.

Question 38

How do you configure step-up authentication for sensitive applications?

Answer 38

Create specific authentication policy rules for sensitive apps requiring additional factors beyond the global session policy. Use phishing-resistant factors and configure "THEN" conditions to prompt for additional verification when accessing high-risk resources.

Question 39

What is the difference between silent authentication and user verification in Okta FastPass?

Answer 39

Silent authentication satisfies 1FA through device presence alone (no user interaction). User verification adds biometric confirmation (Touch ID, Face ID, fingerprint) to satisfy 2FA requirements by proving the specific user's identity.

Question 40

How do authentication policy rules interact with global session policies?

Answer 40

Authentication policies control app-specific authentication requirements and can override global session policy settings. When both are configured, the authentication policy takes precedence for that specific application's access requirements.

Question 41

What are the security implications of using Security Questions as an MFA factor?

Answer 41

Security Questions are knowledge-based factors (weakest type) and are vulnerable to social engineering. Okta recommends against using them in authentication flows. They should only be used for account recovery if necessary, never as primary MFA.

Question 42

How do you handle MFA for users who don't have smartphones?

Answer 42

Configure alternative factors like hardware tokens (YubiKey), email-based authentication, voice calls, or desktop-based Okta Verify. Ensure enrollment policies include these options as alternatives to mobile-based factors.

Question 43

What is the impact of enabling "Imports with DirSync" in AD integration?

Answer 43

Enables incremental imports that significantly improve performance with large directories. The next import after enabling becomes a full import to establish baseline, then subsequent imports are delta-only, reducing sync time and server load.

Question 44

How do you configure Okta Verify options for different security requirements?

Answer 44

Configure push notifications for user-friendly MFA, enable TOTP for offline scenarios, require biometric verification for high-security apps, and set up FastPass for passwordless authentication. Each can be enabled/disabled per policy.

Question 45

What are the requirements for a device to be considered "managed" in Okta device assurance policies?

Answer 45

Device must be: 1) Registered (enrolled in Okta Verify), 2) Managed by a device management solution, 3) Configured for device management in Security > Device Integrations, 4) User authenticated with FastPass from managed device at least once.

Question 46

How do you troubleshoot authentication policy rule conflicts?

Answer 46

Check rule priority order (most restrictive first), verify conditions don't overlap unexpectedly, ensure catch-all rule is at bottom, test with specific user scenarios, and review policy assignment to applications. Higher priority rules override lower ones.

Question 47

What factors can be used for passwordless multifactor authentication?

Answer 47

For passwordless 2FA, use "Any 2 factor types" option requiring two different factor types: Possession, Knowledge, or Biometric. Hardware-protected, device-bound, or phishing-resistant factors preferred. Security Questions only work if user has enrolled password.

Question 48

How does Okta handle Universal Security Groups (USG) vs Distribution Groups during AD imports?

Answer 48

USGs are security-enabled and support cross-domain memberships when USG support is enabled. Distribution Groups are mail-enabled only. Okta handles membership differently - USGs can ignore domain boundaries, DGs cannot during imports.