Number and types of questions

This exam has two parts.

• Part I: 47 Discrete Option Multiple Choice (DOMC) Questions Learn more about DOMC here
• Part II: Four Performance-Based, Hands-on Use Cases Learn more about Hands-on items here

Case study

This exam has two case studies.

• Many of the questions on this exam reference one of the two case studies.
• Some of the questions are completely independent and do not reference either case study.

Time allotted

Exam Fee

USD 250 (USD 100 for each subsequent retake)

Prerequisites

• Active, unexpired Okta Certified Professional and Okta Certified Administrator certifications
• Successful completion of the recommended training or self-study using the preparation resources listed in the Consultant Exam subject areas table at the end of this page
• Note: During the exam, one or more configuration tasks in Part II will require the use of an email address you can access from the system you use to take the exam. If you take the exam on a device that is locked down, you may have to use a work email address. Use of your personal or work email is limited to the configuration tasks that require it.

Exam Section

Percentage of Exam Related to Section

Implementing Advanced Sourcing

8%

"As a Source" setup and configuration flow

Configure attribute level sourcing and configure the priority of the profile sources in an Okta org

Preparation resources:

• About profile sources
• Prioritize profile sources
• Define the attribute profile source

Demonstrate understanding of the priority of the profile sources in an Okta org

Preparation resources:

• Prioritize profile sources

Advanced Sourcing Concepts

Understand the architecture of advanced sourcing (Example: the flow of attribute data), including how to deploy, test, and troubleshoot common sourcing configurations

Preparation resources:

• About profile sources
• About attribute-level sourcing
• Workday Real Time Sync
• Import users from an app
• Match imported user attributes

Data Migration Strategy 

Know the common data migration patterns, including the steps to migrate user data and passwords from an existing system to Okta

Preparation resources:

• Okta User Migration Guide

HR-as-a-Source (scenarios)

Know how to deploy, test and troubleshoot common sourcing configurations, including HR as a source options such as OIN, API as a source, and CSV directory, and understand the flow of attribute data

Preparation resources:

• Workday
• Grant Provisioning Group Admin privileges to a Workday Administrator
• Considerations

Profile Mappings (Profile Editor)

Know how to map attributes from source systems to target systems, how to identify basic attribute transformations, and how to troubleshoot common attribute mapping issues

Preparation resources:

• Map custom attributes
• Configure the CSV directory integration profile attributes

Implementing Advanced SSO Strategies

15%

Advanced SAML implementation scenarios

Know how to use the SAML Wizard and how to perform attribute mappings on SAML assertions

Preparation resources:

• Create SAML app integrations using AIW

Advanced Server Access concepts and overview

Understand what Advanced Server Access management is and be able to speak to its common use cases

Preparation resources:

• Advanced Server Access
• Get started with Advanced Server Access
• Audit events

Okta Access Gateway (OAG)

Understand what Okta Access Gateway management is and be able to speak to its common use cases

Preparation resources:

• About Access Gateway
• Configure an Identity Provider in Access Gateway
• Access Gateway security best practices
• Add Admin entry to hosts file
• Generic applications

Know the OAuth 2.0 roles of the authorization server, resource server, and resource owner

Preparation resources:

• Implement authorization by grant type

Know when to use the various OIDC flows based on the type of application (Example: mobile apps, single page applications, web applications on the server side)

Preparation resources:

• OpenID Connect
• A Beginner's Guide to JWT

Okta RADIUS Agent for an SSO Solution

Know when to use the Okta RADIUS Agent

Preparation resources:

• Okta RADIUS Integrations

Know how to configure the Okta RADIUS Agent for an SSO Solution (e.g., to connect from Okta to a VPN); understand the nuances of RADIUS; know which protocols are supported

Preparation resources:

• About the Okta RADIUS server agent
• RADIUS common issues and concerns
• Install and configure the RADIUS Agent
• RADIUS deployment architectures

Know the various error codes, including the types of tools that Okta recommends to use for troubleshooting SSO integrations, as well as the tools used during each step

Preparation resources:

• Troubleshoot provisioning

Implementing Custom Configuration Options with Okta

19%

Architecture, capabilities, and common use cases of OPP

Understand the common use cases for OPP and know the supported OPP features such as create, update, deactivate, and sync password

Preparation resources:

• Provision on-premises applications
• Enable the Transport Layer Security 1.2 protocol
• Install the Okta Provisioning Agent
• Connect to a SCIM connector
• Configure the API call timeout period

Custom Email Domain

Know the common use cases for custom email domain

Preparation resources:

• Configure a custom email address

Deployment Models & the Authentication API

Know what's possible with the out of the box sign-in screen vs sign-in widget, custom vanity login UI, etc.

Preparation resources:

• Redirect authentication

Know the pros and cons of the different deployment models

Preparation resources:

• Okta deployment models - redirect vs. embedded

Custom URL Domain

Know when custom URL domain should be used

Preparation resources:

• Customize domain and email address

Know the difference between BYO and Okta managed certificate, including the pros and cons of each

Preparation resources:

• Use your own certificate authority for managed devices
• Certificate management

MFA as a service

Know how to implement, test and troubleshoot configuration of MFA as a Service (MFA for Active Directory Federation Service)

Preparation resources:

• Troubleshooting
• MFA for Active Directory Federation Services (ADFS)

Okta Hooks

Know the various use cases and differences between the different types of hooks

Preparation resources:

• Inline hook timeout behavior
• Commands
• Telephony inline hook reference
• Supported commands
• Registration inline hook reference
• Token inline hook reference

SCIM App Wizard

Know how to implement, test and troubleshoot the SCIM App Wizard

Preparation resources:

• About on-premises provisioning
• Create SAML app integrations
• Add SCIM provisioning to app integrations

Implementing Directory Solutions

13%

Active Directory Integration

Know how to size the Okta Active Directory Agent deployment, configure the Okta Active Directory agent to communicate with multiple domains, configure the Okta Active Directory agent for throughput, configure verbose logging, and configure the proxy settings

Preparation resources:

• Register multiple domains to an Okta Active Directory agent

Know how to test and troubleshoot common configuration issues in multi-forest/multi-domain environments

Preparation resources:

• Integration with existing Active Directory forests and domains
• Prepare Active Directory for the integration
• Active Directory integration known issues
• Configure Active Directory import and account settings
• Define the attribute profile source

Advanced configuration with DSSO

Know how to implement, test, and troubleshoot Agentless Desktop SSO

Preparation resources:

• About Active Directory Desktop Single Sign-on and Just-in-Time provisioning
• Configure agentless Desktop Single Sign-on
• Active Directory Desktop Single Sign-on
• About the agentless Desktop Single Sign-on workflow
• Desktop Single Sign-on troubleshooting
• Configure browsers for agentless Desktop Single Sign-on on Windows

LDAP Integration

Know the common use cases for LDAP Agent such as delegated authentication and provisioning to existing LDAP environments, as well as the process to integrate LDAP with Okta

Preparation resources:

• Install the Okta LDAP Agent

Know the functional differences between Active Directory integration and LDAP integration

Preparation resources:

• LDAP integration features
• AD LDS LDAP integration reference
• Configure Active Directory import and account settings
• Active Directory integration prerequisites

LDAP Interface

Understand the existence of the LDAP interface and how it can be used

Preparation resources:

• LDAP interface known limitations
• LDAP interface connection settings
• Set up and manage the LDAP interface
• Expose app groups in the LDAP interface directory information tree
• Does DUO Security work as an MFA factor for LDAP interface?

Implementing Inbound Federation with Okta

13%

IdP Discovery

Know how to deploy, test and troubleshoot IdP discovery when configured in Okta, including configuring IdP policy, and IdP routing rules based on user attributes, group membership, etc.

Preparation resources:

• Configure Identity Provider routing rules

Okta as a service provider with a 3rd party IdP

Know when to use Okta as a service provider (SP) with a 3rd party identity provider (IdP)

Preparation resources:

• Make Azure Active Directory an Identity Provider
• Create an app at the Identity Provider
• Create an Identity Provider in Okta

Social Identity Providers

Know how to implement social login with Okta, including configuring the various components required for social login, such as OAuth 2.0 client in the social provider, an identity provider in Okta, and an OIDC application in Okta

Preparation resources:

• Social Identity Provider Settings
• Add an External Identity Provider

Inbound Federation

Know how to troubleshoot Inbound Federation

Preparation resources:

• Configure Identity Provider routing rules
• Add a SAML Identity Provider
• Configure the IdP authenticator
• Configure Identity Provider routing rules

Understand how account linking functions

Preparation resources:

• Add a SAML Identity Provider
• Create an Identity Provider in Okta

Understand best practices for Inbound Federation

Preparation resources:

• The big picture

Know when to use Okta Org2Org and how to configure it

Preparation resources:

• Integrate Okta Org2Org with Okta

Implementing Okta Policies

15%

Okta FastPass

Know how OktaFastPass works, the benefits, and the end user experience

Preparation resources:

• Okta FastPass
• Okta FastPass FAQ
• Configure Okta FastPass

Global Session Policy with Behavioral Detection

Know how to explain, deploy, and troubleshoot Behavioral Detection for Global Session Policy

Preparation resources:

• Behavior detection and evaluation

Authentication Policies

Know how to explain, deploy, and troubleshoot authentication policies

Preparation resources:

• Add an authentication policy rule
• Default policies
• Authentication policies

Pre-Authn Sign-on Evaluation Policy

Understand the benefits of the Pre-authn sign-on evaluation policy

Preparation resources:

• Okta sign-on policies

ThreatInsight

Understand when to use ThreatInsights and know how to configure it

Preparation resources:

• Okta ThreatInsight
• Okta ThreatInsight Whitepaper

Know the capabilities/supported systems that Okta can ingest

Preparation resources:

• About Okta ThreatInsight

Working with Okta APIs

6%

API Code Collection

Know the common use cases for Okta APIs, including options for accessing Okta APIs

Preparation resources:

• Core Okta API

Commonly used scripted API calls (Example: deactivate/delete all users in group)

Know which APIs are in the Okta API collection, the commonly used ones and what they are used for; but not the exact calls

Preparation resources:

• Users API

OAuth/API AM wrt best practices

Know why API AM should be used and why a customer would want a custom authorization server and the security the customer gains by using it

Preparation resources:

• Which authorization server should you use
• Implement authorization by grant type
• Create scopes

Working with API Access Management

11%

API Code Collection

Know the common use cases for API Access Management, how to create a custom authorization server, and how to properly add claims

Preparation resources:

• API Access Management
• Simple use cases
• Which authorization server should you use
• Access token
• Endpoints

Entitlement architecture - Claims vs. Scopes and Their Relationship

Know the differences between claims and scopes and how claims and scopes are used in the context of OIDC

Preparation resources:

• Request a token that contains the custom claim
• Reserved scopes and claims
• Scope values
• Scopes

Configure API AM Access Policies

Preparation resources:

• Authorization server
• Secure applications

OAuth Grant Types (Including Interaction Flow)

Know when to use the various OAuth grant types

Preparation resources:

• What kind of client are you building?
• OAuth 2.0 and OpenID Connect overview
• OAuth 2.0
• What type of application are you building?
• Implicit flow

Okta SDKs

Know when to use the various OAuth grant types

Preparation resources:

• MyAccount API
• SDK and tools
• Reset password

Use Case

Percentage of Exam Related to Use Case

App Integrations

25%

Configuration tasks:

• Create an app integration using the OIN
• Create a custom app integration

Preparation resources:

• Getting started with app integrations
• Create custom app integrations

Creating a Custom Admin

25%

Configuration tasks:

• Create a custom administrator role
• Assign apps to users and groups

Preparation resources:

• Use custom admin roles
• Configure settings for app integrations
• Assign app integrations

Configuring Policies

25%

Configuration tasks:

• Configure authentication policies

Preparation resources:

• Global Session Policy
• Authentication policies
• Multifactor Authentication

Creating Routing Rules

25%

Configuration tasks:

• Create routing rules
• Assign routing rules

Preparation resources:

• Identity Provider routing rules
• Configure identity provider routing rules
• Configure dynamic routing rules