Okta Identity Engine

OIE CIAM Delta

Lab Guide
 Table of Contents

Lab 1-1: Platform Review and Preparation 3

Review the UI Changes in the Sign-On Widget 3
Create Users and groups in the Okta Universal Directory 3
Review First Party Apps 4

Lab 1-2: Configure an App Level Policy 6

First Party Apps 6
Create Multifactor Policy 6
Test User (Frank Molen) 7

Lab 2-1: Configure Passwordless Authentication with Email Magic Link 8

Email Magic Link Test User Creation 8
Enable the Authentication and Recovery Options 9
Configure the Okta Sign On Policy 9
Testing the Email Magic Link Configuration 10

Lab 2-2: Configure Authentication with Knowledge and Possession Factors 10

Test User Creation 10
Create an Okta Sign-On Policy 11
Create an MFA Enrollment Policy 11

Lab 2-3: Configure Flexible Account Recovery 12

Test User Creation 12
Configure Flexible Account Recovery 12

Lab 2-4: Test Self-Service Account Recovery 13

Add an Authenticator 13
Setup Phone Authenticator for Jacob Ramsey 14
Can Jacob Ramsey use the Phone Authenticator to change his password? 14

Lab 2-5: Configure Captcha 15

Configure CAPTCHA Using Google 15
Configure a CAPTCHA Service in Okta 15

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 2
Lab 1-1: Platform Review and Preparation
To understand the navigational changes in OIE, this lab has been
Objective designed to walk you through the platform. Identifying specific areas
that you should take note of as you continue through this training.

Okta Ice has recently implemented Okta Identity Engine and

administrators familiar with Okta Classic need to learn how to navigate
Scenario
through the new platform and prepare the environment with a number of
Okta sourced users.

Duration 10 minutes

Okta Identity Engine Note

Important Note: Before you begin working in this lab, you will need an Okta Org with
Okta Identity Engine (OIE) enabled. This lab guide assumes you are starting from scratch
with an OIE org tenant. If you do not already have an OIE tenant, please contact Okta
Support.

Okta Identity Engine vs. Okta Classic

The OIE platform has a number of cosmetic and navigational changes that differ from
Okta Classic. The focus on higher assurance and the “application first” approach to policy
enforcement has driven these changes to properly align Okta with security and industry
best practices. In this lab we will navigate through a few of them while we prepare the
environment for OIE specific features.
● Review the UI Changes in the Sign-On Widget
● Create users and groups in the Okta Universal Directory
● Review First Party Applications
Review the UI Changes in the Sign-On Widget
1. Open your Okta Org Tenant.
2. Before signing in, notice the removal of the security image, “Remember Me” has
been replaced with “Keep Me Signed in” and the Login Assistance has been
expanded for specific assistance for a forgotten password.
3. Sign In to your Okta Org Tenant. Configure the password for your account using
the policy requirements displayed.
Create Users and groups in the Okta Universal Directory
4. Click the Admin button to enter the admin console.
5. Authenticate into the admin console. Configure the required authenticators
6. Navigate to Directory > People
7. Click Add Person
8. Configure the various fields and options in the following manner
● First Name: Frank

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 3
 ● Last Name: Molen
● Username: frank.molen@oieorg.com
● Primary email: frank.molen@oieorg.com
● Secondary email: <your personal email>
● I will set password (CHECKED)
● Password: Tra!nme4321
● Uncheck User must change password at first login.
9. Click Save and Add Another
10. Repeat steps 8-9 to add the following users:

First Name Last Name Username Primary email Secondary email

Nate Abbott nate.abbott@oieorg.com nate.abbott@oieorg.com <your personal email>

Chad Willis chad.willis@oieorg.com chad.willis@oieorg.com <your personal email>

11. Once users are added, navigate to Directory > Groups

12. Click Add Group.
13. Enter the group name Marketing, and then click Save.
14. Click the Marketing group.
15. In the Marketing group, click Assign People.
16. Type Nate Abbott into the search field and hit enter.
17. Click the “+” button to add Nate Abbott to the Marketing group.
18. You should see “Assigned” next to Nate Abbott’s name as a confirmation.
19. Now repeat steps 16-18 to add Frank Molen to the Marketing group.
20. Click Done.
21. Repeat steps 11-17 to create the Device Context group and add Chad Willis as a
member.
22.Click Done.
23. Confirm you now have three (3) Okta-sourced groups, all with at least one
member.
Review First Party Apps
24. Navigate to Applications > Applications
25.You will notice three (3) First Party Applications
- Okta Admin Console
- Okta Browser Plugin
- Okta Dashboard
26.Click Okta Dashboard
27. Click View policy details and review the Catch-all Rule settings.

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 4
Now that you have created users and groups and become more familiar with the
interface, we can now configure OIE features.

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 5
Lab 1-2: Configure an App Level Policy
To understand how the application level sign-on policies are now
Objective
outcome based.

Okta Ice would like to enforce a medium assurance of security on the

Scenario
Okta Browser Plugin.

Duration 10 minutes

First Party Apps

You may have noticed the new First Party Apps (FPA) in the application list. Okta Admin
Console, Okta Dashboard and Okta Plugin apps are now available to configure policies
for access. The classic way of enabling MFA in Security -> General is now gone in favor of
a traditional sign-on policy. This allows greater flexibility in the device posture and factor
types allowed when accessing the admin console.

Users needing the Okta Browser Plugin app can be required to use the sign-on policy
associated with that app to gain access.
Create Multifactor Policy
1. From the Okta Admin Console, navigate to Security > Authenticators.
2. Observe that Email, Okta Verify, Password and Phone have already been added by
default.
3. Click Add Authenticator.
4. Click Add Under Google Authenticator.
5. Click Add.
6. Click Actions drop-down menu found at the far right of the Password
Authenticator.
7. Click Edit.
8. Observe this is the Default Policy for authenticating Okta-sourced users.
9. Click Back to all Authenticators.
10. Click Enrollment.
11. Click Add Multifactor Policy.
12. Configure the various fields and options in the following manner:
● Policy Name: Enrollment Policy
● Policy Description: Enrollment Policy for Marketing
● Assign to Groups: Marketing
● Make Google Authenticator required.
13. Click Create Policy.

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 6
 14. The Add Rule dialog will pop up next. Name the rule Enrollment Rule.
15. Click Create Rule.
16. Navigate to Applications > Applications.
17. Click on Okta Browser Plugin.
18. Click View policy details.
19. Click Add Rule.
20. Name the rule End User.
21. Keep the default values within this rule.
22.Scroll down and click Save.
Test User (Frank Molen)
23. Log out of the Admin Console.
24. Log in as Frank Molen (frank.molen@oieorg.com)
25.Password: Tra!nme4321
26.On the End User Dashboard click Add Apps
27. In the search bar type Reddit
28. Click Add next to Reddit
29. Click My Apps
30. Click on Reddit
31. You will be prompted to install the Okta Browser Plugin (if you do not have it
already)
32. You will be prompted to set up a required authenticator (Google Authenticator).
33. Complete the setup of Google Authenticator for Frank Molen
34. Enter the OTP code to verify Frank’s identity.
35. You will then be prompted to configure optional authenticators. You may bypass
the setup of these authenticators by clicking Set up later.
36. After reddit has been displayed, log out.

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 7
Lab 2-1: Configure Passwordless Authentication with Email Magic Link
Objective Configure Email Magic Link

Okta Ice would like to implement Email Magic Link for their Customer
Scenario
Portal.

Duration 20-25 minutes

What’s a magic link? Magic links allow users to log in via a link sent to an email address
without users having to provide any login credentials to sign in. It’s a form of passwordless
login. There are 3 main steps:
1. Users enter an email address at the Okta sign-in screen.
2. If the email is registered, the user will receive an email with a magic link.
3. User opens their email and clicks on Sign In.
Email Magic Link Test User Creation

1. Login to the Okta Admin Console.

2. Navigate to Directory > People.
3. Click Add Person.
4. First Name: Nora
5. Last Name: Walters
6. Username: nora.walters@oieorg.com
7. Primary email: <your personal email>
8. I will set password (CHECKED)
9. Password: Tra!nme4321
10. Uncheck User must change password at first login.
11. Click Save.
12. Navigate to Directory > Groups.
13. Click Add Group.
14. Name the group Passwordless Users.
15. For the Group Description type in Email Magic Link.
16. Click Save.
17. Click on Okta OIE Group.
18. Click Assign People.
19. Search for Nora Walters and click the “+” to add her to the group.

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 8
Enable the Authentication and Recovery Options
1. In the Admin Console, go to Security > Authenticators.
2. Next to the Email authenticator, click the Actions drop-down.
3. Select Edit.
4. On the overlay screen select the Authentication and recovery radio button:

5. Click Save.
Configure the Okta Sign On Policy
1. In the Admin Console, go to Security > Authentication Policies.
2. Click Add a Policy.
3. Name the policy Magic Link.
4. Click Save.
5. Click Add Rule.
6. Name the rule Email Magic Link Rule.
7. Next to User's group membership includes, click the drop-down and select At
least one of the following groups.

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 9
 8. In the Enter groups to include field that pops up below, search for and select the
Passwordless Users group.
9. Scroll down and click Save.

Testing the Email Magic Link Configuration

1. In an Incognito or Private browser window navigate to your Okta Org.
2. Log in as Nora Walters.
a. In the username field type: nora.walters@oieorg.com
b. In the password field type: Tra!nme4321
c. Click Sign In.
d. On the next screen click Send me an email.
e. In your personal email inbox, find the email from your Okta Org.
i. The body of the email will be Verify with an email link or enter a
code sent to <your personal email>.
f. Click on the Sign In button in the magic link to complete authentication.

Lab 2-2: Configure Authentication with Knowledge and Possession Factors

Configure a custom application that requires knowledge and possession
Objective
factors.

Okta Ice has a new application that they are deploying and would like to
Scenario have the end users authenticate using password and a one-time code
sent to the users email.

Duration 15-20 minutes

Test User Creation

1. Login to the Okta Admin Console.
2. Navigate to Directory > People.
3. Click Add Person.
4. First Name: James
5. Last Name: Smith
6. Username: james.smith@oieorg.com
7. Primary email: <your personal email>
8. I will set password (CHECKED)
9. Password: Tra!nme4321
10. Uncheck User must change password at first login.
11. Click Save.
12. Navigate to Directory > Groups.

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 10
 13. Click Add Group.
14. Name the group Okta KP Factors.
15. For the Group Description type in Okta KP Factors.
16. Click Add Group.
17. Click on Okta KP Factors Group.
18. Click Assign People.
19. Search for James Smith and click the “+” button to add him to the group.
20. Click Done.
Create an Okta Sign-On Policy
1. In the Admin Console, go to Security > Authentication Policies.
2. Click Add a policy.
3. Name the policy KP Factors Policy and do the same for Description.
4. Click Add Rule.
5. Name the rule KP Factors Rule.
6. Click Save.

Create an MFA Enrollment Policy

1. Go to Security > Authenticators.

2. Under the Enrollment tab, click on Add Multifactor Policy.
3. Give it a policy name and description Okta KP Factors.
4. Under Eligible Authenticators, set the following values for the given
authenticators:
a. Email: Required
b. Okta Verify: Disabled
c. Phone: Disabled
5. Click Create Policy.
6. When the Add Rule window pops up, name the rule KP Factors MFA Rule.
7. Make sure the User's IP is anywhere and Allowed if required authenticators are
missing is selected.
8. Click Create Rule.

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 11
Lab 2-3: Configure Flexible Account Recovery
Configure Application D to allow the end user to choose how to reset
Objective
their password.

Scenario Okta Ice would like to add Flexible Account Recovery to App D.

Duration 15-20 minutes

Test User Creation

1. Login to the Okta Admin Console.
2. Navigate to Directory > People.
3. Click Add Person.
4. First Name: Jacob
5. Last Name: Ramsey
6. Username: jacob.ramsey@oieorg.com
7. Primary email: <your personal email>
8. I will set password (CHECKED)
9. Password: Tra!nme4321
10. Uncheck User must change password at first login.
11. Click Save.
12. Navigate to Directory > Groups.
13. Click Add Group.
14. Name the group Any 2 Factor Types.
15. For the Group Description type in Any 2 Factor Types.
16. Click Add Group.
17. Click on Any 2 Factor Types.
18. Click Assign People.
19. Type Jacob Ramsey into the search field and hit enter.
20. Click the “+” button to add Jacob Ramsey to the Any 2 Factor Types group.
Configure Flexible Account Recovery
1. Navigate to Security > Authenticators.
2. Next to Password click Actions > Edit.
3. Click Add New Password Policy.
4. Policy name: SSPR.
5. Policy description: Self Service Password Reset.
6. Add group: Any 2 Factor Types.
7. Click Create Policy.
8. Rule Name: SSPR.

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 12
 9. Make your Rule looks like this:

10. Click Create Rule.

Lab 2-4: Test Self-Service Account Recovery

Objective To enable Okta-sourced users to perform password management.

Okta Ice would like for users to perform password management such as
self-service password recovery, change their own passwords, and
Scenario
unlock account management using either email or phone (voice call or
text.)

Duration 10 minutes

Add an Authenticator
1. Navigate to Security > Authenticators.
2. Click the Actions Menu to the far right of the Phone authenticator and click Edit.
3. Use the checkboxes to confirm the user can verify with:
a. Voice Call.
b. SMS.

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 13
 4. This authenticator can be used for:
a. Click Recovery (only).
5. Click Save.
Setup Phone Authenticator for Jacob Ramsey

1. Sign out.
2. On the log in page enter Jacob’s username: jacob.ramsey@oieorg.com.
3. Enter Jacob’s password: Tra!nme4321
4. Click Verify.
5. Click Jacob > Settings.
6. Under Security Methods click Setup next to Phone.
7. Enter Jacob’s password and then click Verify.
8. Click Setup under Phone.
You may be required to satisfy MFA using your password and Google
Authenticator, configured earlier in this training. Once MFA has been satisfied you
can continue.
9. Enter your mobile phone number for SMS.
10. Click Receive a code via SMS.
11. Enter code and click Verify.
12. Repeat the process but this time choose Voice Call.

Can Jacob Ramsey use the Phone Authenticator to change his password?

1. Sign out.
2. On the login page enter Jacob’s username: jacob.ramsey@oieorg.com.
3. Click Next.
4. Click Forgot Password?
5. You should see two options (email or phone.)
6. Select phone.
7. You should see two options SMS or Voice Call.
8. Choose Receive a Code via SMS.
9. Enter the code.
10. Change Jacob’s password.

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 14
Lab 2-5: Configure Captcha
Objective Configure Captcha.

Okta Ice would like to increase their org security by adding CAPTCHA to
Scenario
prevent automated sign-up attempts.

Duration 10-15 minutes

Okta supports CAPTCHA to prevent automated sign-in attempts. You can integrate either
of two services: hCaptcha or reCAPTCHA v2.

The vendor implementations supported by Okta are both invisible; they each run
risk-analysis software in the background during sign in to determine the likelihood that the
user is a bot. This risk analysis is based on the settings that you configure for the service.
Configure CAPTCHA Using Google
Note: The vendor implementations supported by Okta are both invisible; they each run
risk-analysis software in the background during sign in to determine the likelihood that the
user is a bot.

1. Navigate to https://www.google.com/recaptcha/admin/create.
2. Label: Application A.
3. Select reCAPTCHA V2 radio button.
a. Select Invisible reCAPTCHA badge radio button.
4. Domains: xxxxxxx.oktapreview.com
5. Click the checkbox for Accept the reCAPTCHA Terms of Service.
6. Click Submit.
7. Save the Site key to Notes.
8. Save the Secret key to Notes.

Configure a CAPTCHA Service in Okta

1. In the Admin Console, go to Security >General.

2. Click Edit next to CAPTCHA Integration.
3. Type choose: reCAPTCHA v2.
4. Site key: Copy in the site key from where you save it in notes.
5. Secret key: Copy in the secret key from your service configuration.
6. Enable CAPTCHA for: Sign Up.
7. Click Save.

Copyright 2022 Okta, Inc. All Rights Reserved.

May 2022 Page 15