Spring Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65
marks4sure logo
You just re-enabled IWA DSSO and notice it ' s not behaving as it should. What is an aspect you should keep in mind?
Solution: That when re-enabling IWA DDSO you have to issue another API token for the AD / IWA Agents
Can you include / exclude users from specific Network Zones defined in Okta from both Sign On and Password policies?
Solution: Only for Sign On policies you have such granularity
With Okta Retention Policy, App generated data and reporting based on log data older than how many months is automatically removed (not considering the Backup Data)?
Solution: This data is never removed, as per GDPR
Speaking of Okta Template App and Okta Pluin Template App, which of the following RegEx can you create for an allow list of URLS so that both endpoints for /login or /change_password are accepted under example.com domain?
Solution: https://example.com/(login|change_password)\\*
In an agentless DSSO (Desktop Single Sign-on) scenario Okta is the one decrypting the Kerberos ticket, finds then the user name, authenticates the user and passes back a session to the browser.
Solution: The statement is valid, but Okta is not the one doing authentication - IWA Agent and AD Agent are doing that as AD agent verifies the AD user ' s identity
The Okta On-Prem MFA Agent acts as a Radius client and communicates with the RADIUS enabled On-Prem server, including RSA Authentication manager for RSA SecurIDs. This basically allows your organization to leverage Second Factor from a variety of On-Premises multifactor authentication tools.
Solution: The statement is false
As an Okta best-practice / recommendation: Okta encourages you to switch from Integrated Windows Authentication (IWA or DSSO) to agentless Desktop Single Sign-on (ADSSO). Okta is no longer adding new IWA functionality and offers only limited support and bug fixes.
Solution: Only the first statement is true
There might be specific AD attributes, which - apart from others - do not appear in the Okta user profile. Can those extra attributes be mapped and provisioned towards an app?
Solution: Yes, but you need to have a SAML 2.0 integrated app or such flow
Regarding policies, Okta recommends:
Solution: Include a final catch-all rule that denies access to anything that does not match any of the preceding rules
What does it mean: " Mapping Direction AD to Okta " ?
Solution: Indicates a schema of attribute values flowing AD towards Okta
Whenever you make an API call, you will then get back:
Solution: Response headers
Any ... < answer_goes_here > ' s credentials verified under " Test API credentials " in an Office365 app integration can allow Okta API integration with Office 365 - permissions which once successfully granted will be used by Okta used for Provisioning related tasks
Solution: Office 365 Global Administrator
When a user ' s Okta password is changed:
Solution: All apps that are Provisioning-enabled and have Sync Password option active under Provisioning settings - will begin to sync the password in respective apps
After you turn on Desktop SSO, a default DSSO related routing rule is created. You must configure the network information for this rule.
Solution: The statement is partially true, as the networking information is already added within this rule
Any ... < answer_goes_here > ' s credentials verified under " Test API credentials " in an Office365 app integration can allow Okta API integration with Office 365 - permissions which once successfully granted will be used by Okta used for Provisioning related tasks
Solution: Office 365 user
With Okta you federate the ' Office 365 tenant name ' (which is the default Microsoft domain you have) or the ' Office 365 domain ' ?
Solution: You federate with Okta only the ' Office 365 domain '
In an agentless DSSO (Desktop Single Sign-on) scenario Okta is the one decrypting the Kerberos ticket, finds then the user name, authenticates the user and passes back a session to the browser.
Solution: The statement is valid, but Okta is not the one doing decryption - the browser is doing that
The SCIM protocol is < response_is_entered_here > for provisioning and managing identity data on the web.
Solution: An application-level TLS protocol
Speaking of Okta Template App and Okta Pluin Template App, which of the following RegEx can you create for an allow list of URLS so that both endpoints for /login or /change_password are accepted under example.com domain?
Solution: https://example*.com/(login|change_password)
After you turn on Desktop SSO, a default DSSO related routing rule is created. You must configure the network information for this rule.
Solution: You have nothing to do and even the rule is by default set to " Active "
How can SAML provision attributes via JIT? Or even create users?
Solution: By including specific information in the GET API call
In order for SAML to work, there is a need of an IDP and an SP and we know that already, but why is it so? Because:
Solution: An SP authorizes the users, while the IDP authenticates them
When you call a GET API call for users / groups / and other such objects, the response is usually Paginated, in case these are a lot of objects returned. What do you do in order to retrieve all objects?
Solution: You call the very same API with the help of a different token, hence will return the next page of objects
Regarding policies, Okta recommends:
Solution: To have one policy rule per application, as more will most probably alter the behavior too much and you may miss important behaviors
Which of the following is / are Okta required attributes?
Solution: sAMAccountName
When using Okta Expression Language, which of the following will have the output: This is a test
Solution: String.append( " This is " , " a test " )
Which of the following is / are Okta required attributes?
Solution: None of the above
On a Windows machine, which is the right behavior if you try to sign into your Okta org and agentless DSSO is properly configured for it?
Solution: You will be automatically redirected to The Okta Sign In page for your organization, where you need to fill in with your AD credentials
With agentless DSSO (Desktop Single Sign-on), you still have a need of deploying IWA Agents in your Active Directory domains to implement DSSO functionality.
Solution: The statement is false
When you are trying to federate (via WS-FED) Office 365 with Okta:
Solution: You can choose to skip importing user groups and group memberships into Okta
As an Okta admin, when you implement IWA, you have to know how to successfully test it to see if it ' s working. For this you:
Solution: Restart AD Domain Controller and go into IIS and see if you have IWA references in there
When you call a GET API call for users / groups / and other such objects, the response is usually Paginated, in case these are a lot of objects returned. What do you do in order to retrieve all objects?
Solution: You call the very same API multiple times, till the response will be empty
Which is a / are best-practice(s) in a SAML 2.0 situation?
Solution: To not use SAML 2.0 and Provisioning via the same App instance in Okta, but integrate the same SP custom domain via two different app instances in Okta, one for SSO, via SAML 2.0 in this case, and one for provisioning on users
TESTED 09 May 2026