Looking for Okta Logos?

You can find all the media assets you need as part of our press room.

Download Media Assets

NEW Okta Consultant Exam Study Guide Published March 6, 2020

Introduction

Congratulations, you are one step closer toward earning your Okta Certified Consultant certification!

This exam study guide is designed to help you prepare for the Okta Consultant exam. Passing this exam in addition to the Okta Professional and Administrator exams are requirements for attaining Okta Certified Consultant certification. Detailed exam topics and available preparation resources are outlined in this guide. Reading this guide in no way guarantees a passing score on the Okta Consultant exam.

Using this study guide

At minimum, we highly recommend you thoroughly review each topic listed within the Exam Subject Areas section of this study guide. Make sure you understand and are familiar with each topic. Every single topic within that section relates to at least one question on the exam. If you are not familiar with a topic, research it by either using one of the corresponding preparation resources, or search the Okta Help Center or Okta Product Documentation library. Some topics are best learned through hands-on experience with the Okta service.

Candidate Description

Okta Certified Consultants are technically proficient at implementing the Okta service in a variety of configurations. Consultants have experience integrating common applications, such as, Office 365, G Suite, Box, and Salesforce with Okta. They also have extensive knowledge and experience scoping and implementing complex Okta integrations involving multi-forest and multi-domain environments, advanced single sign-on (SSO), and inbound federation with Okta. Consultants have working knowledge of Okta APIs and custom configuration options.

The primary audience for the Okta Certified Consultant certification are individuals who hold the Okta Certified Administrator certification and are involved with implementing Okta. It is recommended that candidates for the Okta Certified Consultant certification meet the following requirements at minimum:

•Have 5+ years of experience in security administration for Identity and Access Management

•Have 1 year of hands-on experience implementing Okta

•Have successfully completed Advanced Mastering Techniques with Okta and Inbound Federation: Using Okta as a Service Provider courses or equivalent

•Have hands-on experience implementing Attribute-level Mastering across a few directory services and human resources as a master applications, as well as experience migrating user data and passwords from an existing source of truth into Okta

•Have experience using various tools (Examples: SAML Wizard, Okta Radius Agent, OIDC flows) on advanced SSO integrations, and understand Advanced Server Access management and OAuth 2.0 roles, but may need guidance in troubleshooting advanced SSO integrations

•Have implemented custom configurations with Okta using different tools (Examples: Okta on-premises provisioning (OPP), custom email domain, sign-in screen, sign-in widget, custom vanity login UI, custom URL, MFA as a Service, On-Prem MFA, SCIM App Wizard), but may need guidance troubleshooting custom configuration issues

•Have experience with advanced configurations of directory agents (AD and LDAP), Desktop SSO, verbose logging, and proxy settings and providing Integrated Windows Authentication (IWA) to globally distributed companies, but may need guidance troubleshooting multi-forest/multi-domain configuration issues

•Have implemented inbound federation with Okta, but may need guidance to troubleshoot inbound federation issues

•Can configure adaptive MFA, behavioral detection, pre-authn sign-on, and ThreatInsights, but may need to reference configuration documentation 

•Understand device trust, but may need guidance to troubleshoot common Okta policy implementation issues

•Understand how Okta APIs, API Access Management, scopes, and claims can be used to implement custom solutions, have used Okta APIs in a non-production lab environment, and have familiarity with API collections

About the Exam

Exam Format

Number and Types of Questions: 60 Discrete Option Multiple-Choice (DOMC) items

Case Study:

•This exam contains two case studies. 

•Many of the questions on this exam reference one of the two case studies. 

•However some of the questions are completely independent of the case studies, as such those questions do not reference either of the two case studies.

Time Allotted: 90 minutes

Exam Fee 300 USD (100 USD for each subsequent retake)

Prerequisites:

•Pass the Okta Professional and the Okta Administrator Exams

•Take the recommended training or self-study using the preparatory resources in the table below

Understanding the DOMC Item Type

This exam uses Discrete Option Multiple Choice (DOMC) items. DOMC is a powerful measurement tool that produces reliable test scores. It does so by removing several “contaminants” that affect test outcomes but are unrelated to the knowledge and skills being tested. The DOMC item type levels the playing field, more fairly measuring candidate skills by improving: 

Readability. Because test takers are required to read less, the exam tends to take less time and places fewer demands on the slow reader or the non-native English speaker.

Fairness. When savvy test takers are unsure of an answer, they look for clues by comparing options or gleaning information from other items on an exam. DOMC removes this test taking advantage and serves as a powerful method to assess a test taker’s actual knowledge.

Security. Instead of displaying all options at the same time, options are randomly presented one at a time. For each presented option, test takers must make a YES or NO decision to indicate whether they think the option is correct. Answer options are presented in random order, and in most instances, test takers are NOT presented with all the available options associated with a DOMC item. Item exposure is limited by presenting only a subset of the available options to any given test taker. Limiting item exposure makes it difficult for an exam to be compromised.

Scoring

Test takers can be assured that the DOMC item type is scored fairly and with precision.

•If a test taker is presented with a correct option and responds YES, then that response is scored as “correct". A DOMC item can be programmed to require one or more correct responses in order to be complete and to be considered answered correctly. Typically, however, only one correct response is required.

•If a test taker is presented with a correct option and responds NO, then that item is scored as “incorrect”.

•If a test taker is presented with an incorrect option and responds YES, then that item is scored as “incorrect”. 

•If a test taker is presented with an incorrect option, and that test taker responds NO (technically, a correct response), scoring of the item is postponed and another option is presented. 

Note: Even after a test taker responds correctly or incorrectly to an item, additional correct or incorrect options might be presented but the test taker’s responses to those options will not be scored at all. This is done to prevent test takers from guessing the correctness or incorrectness of a response. 
The DOMC item format may require test takers to make some adjustments to their test-taking approaches. The reward of such effort is confidence that those test takers who are certified are truly competent in the areas tested on the exam and will represent excellence in the field. 

To learn more about DOMC items, visit http://trydomc.com/home. In addition, the Okta Consultant practice exam will help you become accustomed to the new test format. We highly recommend that test takers become familiar with the format of this item type before taking any Okta certification exams.

Exam Scheduling

Okta certification exams are administered and proctored by Examity®. Okta has partnered with Examity®, a secure online proctoring service, to protect the integrity of our certification exams in the market. Online proctoring means that exams can be taken from almost any location at a time that is convenient for you, without travel to a test center. Your Okta Professional Exam must be scheduled at least 24 hours in advance of the time you wish to sit for the test in order to avoid the additional fee associated with on-demand testing.

Preparing for the Okta Consultant Exam

A combination of instructor-led training courses, self-paced learning, self-study, and on-the-job experience will prepare a candidate to take this exam.

Training

Okta Education Services offers a range of classes and training materials to help candidates prepare for this certification exam. Although attending a training class alone does not guarantee success on an Okta certification exam, we strongly recommend that candidates for certification attend both Advanced Mastering Techniques with Okta and Inbound Federation: Using Okta as a Service Provider in preparation for this exam. You can register for these courses here: https://www.okta.com/services/training/.

Other Resources

The Okta Help Center contains a knowledge library of articles and videos, some of which are pertinent to topics covered on this exam. 

The Okta Content Library offers searchable white papers with a rich body of information to explore before your exam.

Join the Okta Community to review questions, discussions, ideas, and blogs for additional exam preparation. 

 

Consultant Exam Subject Areas

The following table lists the topics that are covered on this exam. These topics are grouped into topics areas, and topic areas roll up into domains/exam sections. Use this list as an outline to guide your study and validate your readiness for the Okta Consultant certification exam. 

 

Implementing Advanced Mastering
15%
"As a Master" setup and configuration flow 
 

Configure attribute level mastering and configure the priority of the profile masters in an Okta org

Preparation resource:
Attribute-level mastering

Demonstrate understanding of the priority of the profile masters in an Okta Org

Preparation resources:
Profile mastering
Attribute-level mastering

Advanced Mastery Concepts
 

Understand the architecture of advanced mastering (Example: the flow of attribute data), including how to deploy, test and troubleshoot common mastery configurations

Preparation resources:
Provisioning and Deprovisioning
Install and Configure the Okta AD Agent
Advanced Mastering Techniques with Okta Course

Data Migration Strategy
 

Know the common data migration patterns, including the steps to migrate user data and passwords from an existing system to Okta

Preparation resource:
Okta User Migration Guide

HR-as-a-Master (scenarios)
 

Know how to deploy, test and troubleshoot common mastering configurations, including HR as a master options such as OIN, API as a master, and CSV directory, and understand the flow of attribute data

Preparation resource:
Profile mastering

Profile Mappings (Profile Editor)
 

Know how to map attributes from source systems to target systems, how to identify basic attribute transformations, and how to troubleshoot common attribute mapping issues

Preparation resources:
Attribute-level mastering
Okta Expression Language Overview

Implementing Advanced SSO Strategies
20%
Advanced SAML implementation scenarios
 

Know how to use the SAML Wizard and how to perform attribute mappings on SAML assertions

Preparation resource:
Using the App Integration Wizard

Advanced Server Access concepts and overview
 

Understand what Advanced Server Access management is and can speak to its common use cases

Preparation resources:
Advanced Server Access Setup Introduction
Advanced Server Access

OIDC Flows
 

Know the OAuth 2.0 roles of the authorization server, resource server, and resource owner

Preparation resources:
Authentication API vs OAuth 2.0 vs OpenID Connect
OAuth 2.0

Know when to use the various OIDC flows based on the type of application (Example: mobile apps, single page applications, web applications on the server side).

Preparation resource:
Recommended Flow by Application Type

Okta RADIUS Agent for an SSO Solution
 

Know when to use the Okta RADIUS Agent (Example: To bypass MFA on sign-in prompt)

Preparation resource:
Okta RADIUS Server Agent Deployment Best Practices

Know how to configure the Okta RADIUS Agent for an SSO Solution (Example: To connect from Okta to a VPN)

Preparation resource:
Okta RADIUS Server Agent Deployment Best Practices

Testing and Troubleshooting SSO Integrations
 

Know the various error codes, including the types of tools that Okta recommends to use for troubleshooting SSO integrations, as well as the tools used during each step

Preparation resources:
Enable CORS Overview
Authentication API
SAML Tracer Overview
Connecting to Okta using the LDAP Interface

Implementing Custom Configuration Options with Okta
17%
Architecture, capabilities, and common use cases of OPP
 

Understand the common use cases for OPP and know the supported OPP features such as create, update, deactivate, and sync password

Preparation resource:
Configuring On Premises Provisioning

Custom Email Domain
 

Know the common use cases for custom email domain

Preparation resource:
Configure a Custom Email Domain

Custom Login Flows
 

Know what's possible with the out of the box sign-in screen vs sign-in widget, custom vanity login UI, etc.

Preparation resources:
Customize the Okta URL domain
Okta Sign-In Widget Guide

Custom URL Domain
 

Know when custom URL domain should be used

Preparation resources:
Customize the Okta URL domain
Configure a custom URL domain

MFA as a service
 

Know how to implement, test and troubleshoot configuration of MFA as a Services (MFA for ADFS)

Preparation resource:
MFA for Active Directory Federation Services (ADFS)

Okta Hooks
 

Know the various use cases and differences between the different types of hooks

Preparation resources:
Inline Hooks
SAML Assertion Inline Hook Reference

On-Premises MFA
 

Know the use cases for On-Prem MFA, as well as understand the architecture, and know the steps to set up On-Prem MFA

Preparation resource:
Configuring the On-Prem MFA Agent

SCIM App Wizard
 

Know how to implement, test and troubleshoot the SCIM App Wizard

Preparation resources:
SCIM: Provisioning with Okta's Lifecycle Management
Using the App Integration Wizard

Implementing Directory Solutions
12%
Advanced configuration of the Okta AD Agent
 

Know how to size the agent deployment, configure the agent to communicate with multiple domains, configure the agent for throughput, configure verbose logging, and configure the proxy settings

Preparation resource:
Okta AD agent configuration variable definitions

Advanced configuration with DSSO
 

Understand how the global redirect url works and how the global redirect URL can be used along with DNS size or geolocation policies in DNS to support and provide local IWA to globally distributed companies.

Preparation resource:
Install and configure the Okta IWA Web agent for Desktop SSO

Common multi-forest/multi-domain configuration issues
 

Know how to test and troubleshoot common configuration issues in multi-forest/ multi-domain environments

Preparation resources:
Install and configure the Okta IWA Web agent for Desktop SSO
Register Multiple Domains to an Okta Active Directory (AD) Agent

LDAP Integration
 

Know the common use cases for LDAP Agent such as delegated authentication and provisioning to existing LDAP environments, as well as the process to integrate LDAP with Okta

Preparation resources:
Connecting to Okta using the LDAP Interface
Delegated Authentication
Install and Configure the Okta LDAP Agent

LDAP Interface
 

Know how to implement, test and troubleshoot the LDAP interface.

Preparation resource:
Connecting to Okta using the LDAP Interface

Implementing Inbound Federation with Okta
10%
IdP Discovery
 

Know how to deploy, test and troubleshoot IdP discovery when configured in Okta, including configuring IdP policy, and IdP routing rules based on user attributes, group membership, etc.; not the on-prem app that could be built

Preparation resource:
Identity Provider Discovery

Okta as a service provider with a 3rd party IdP
 

Know when to use Okta as a service provider (SP) with a 3rd party identity provider (IdP)

Preparation resource:
Identity Providers

Social Identity Providers
 

Know how to implement social login with Okta, including configuring the various components required for social login, such as OAuth 2.0 client in the social provider, an identity provider in Okta, and an OIDC application in Okta

Preparation resources:
Social Identity Provider Settings
Add an External Identity Provider

Inbound Federation
 

Know how to troubleshoot Inbound Federation

Preparation resources:
Identity Providers 
Identity Provider Discovery

Profile Mappings (Profile Editor)
 

Know how to map attributes from source systems to target systems, how to identify basic attribute transformations, and how to troubleshoot common attribute mapping issues

Preparation resources:
Attribute-level mastering
Okta Expression Language Overview

Implementing Okta Policies
13%
Adaptive MFA
 

Know which types of conditions can be used as triggers such as new city, country, state, IP or velocity rules

Preparation resources:
Security Behavior Detection
Security Policies

Device Trust (Windows and Mac)
 

Know how device trust works with a third party provider

Preparation resource:
Okta Device Trust for Mobile Devices

Okta Sign On Policy with Behavioral Detection
 

Know how to explain, deploy, and troubleshoot Behavioral Detection for an application sign-on policy

Preparation resource:
Security Behavior Detection

Pre-Authn Sign-on Evaluation Policy
 

Understand the benefits of the Pre-authn sign-on evaluation policy

Preparation resources:
Security Policies
Security Blog--How Okta Protects You Against Identity Attacks

ThreatInsight
 

Know the prerequisites for configuring ThreatInsights as well as the steps to configure ThreatInsights and how to exempt access from trusted IP addresses blocked by ThreatInsight

Preparation resource:
ThreatInsight

Working with Okta APIs and API Access Management
13%
API Access Management
 

Know the common use cases for API Access Management and know how to create a custom authorization server and how to properly add claims

Preparation resources:
Custom Authorization Server
Create Access Policies
What is an Authorization Server?

API Code Collection
 

Know the common use cases for Okta APIs

Preparation resources:
Authentication API
Zone Model

Know which Okta API calls fall under which collection

Preparation resources:
Factors API
Schemas API
API Reference

Commonly used scripted API calls (Example: deactivate/delete all users in group)
 

Know which APIs are in the Okta API collection, the commonly used ones and what they are used for; but not the exact calls

Preparation resources:
Users API > Activate Users
Identity Providers API
System Log API Getting Started

Entitlement architecture - claims vs. scopes and their relationship
 

Know the differences between claims and scopes and how claims and scopes are used in the context of OIDC

Preparation resources:
OpenID Connect & OAuth 2.0 API
OpenID Connect & OAuth 2.0 API Scopes

OAuth/API AM wrt best practices
 

Know why API AM should be used and why a customer would want a custom authorization server and the security the customer gains by using it

Preparation resource:
API Access Management with Okta

Sample Items

Know what to expect on the day of the exam. Take the Okta Consultant Practice Exam to familiarize yourself with the format of the DOMC item type. 

Click the button below to check it out now!

Consultant Practice Exam

NEW Okta Consultant Exam Study Guide Published March 6, 2020