As an Okta best-practice / recommendation: Okta encourages you to switch from Integrated Windows Authentication (IWA or DSSO) to agentless Desktop Single Sign-on (ADSSO). Okta is no longer adding new IWA functionality and offers only limited support and bug fixes.

Solution: Only the first statement is true

In order for SAML to work, there is a need of an IDP and an SP and we know that already, but why is it so? Because:

Solution: An SP sends SAML assertions, while the IDP receives and validates them

Regarding policies, Okta recommends:

Solution: To include a policy rule that catches not wanted behaviors as a first priority and then label others for permitted behaviors

On a Windows machine, which is the right behavior if you try to sign into your Okta org and agentless DSSO is properly configured for it?

Solution: You will be automatically redirected to The Okta Sign In page for your organization, where you need to fill in with your AD credentials

When does Okta bring LDAP groups into Okta?

Solution: During both LDAP import and JIT

When does Okta bring LDAP roles into Okta?

Solution: Only during an LDAP import

Whenever you make an API call, you will then get back:

Solution: Response headers

After you turn on Desktop SSO, a default DSSO related routing rule is created. You must configure the network information for this rule.

Solution: The statement is true

In an agentless DSSO (Desktop Single Sign-on) scenario Okta is the one decrypting the Kerberos ticket, finds then the user name, authenticates the user and passes back a session to the browser.

Solution: The statement is valid, but Okta is not the one doing authentication - IWA Agent and AD Agent are doing that as AD agent verifies the AD user's identity

With agentless DSSO (Desktop Single Sign-on), you still have a need of deploying IWA Agents in your Active Directory domains to implement DSSO functionality.

Solution: The statement is true, but not for the part about: the deployment of IWA Agents into Active Directory domains. The IWA Agents can now be deployed on whichever machine, it's a unique functionality that only agentless DSSO has and not on-prem DSSO.

What does it mean: "Mapping Direction AD to Okta"?

Solution: Indicates a schema of attribute values flowing AD towards Okta

Speaking of Okta Template App and Okta Pluin Template App, which of the following RegEx can you create for an allow list of URLS so that both endpoints for /login or /change_password are accepted under example.com domain?

Solution: https://example*.com/(login|change_password)

On a Windows machine, which is the right behavior if you try to sign into your Okta org and agentless DSSO is properly configured for it?

Solution: You will be automatically redirected to your Load-Balancing Application, if you have one configured, enter credentials for it and then redirected back to Okta org

If you want to remove an attribute's value in Okta, for example a value coming from AD that is not useful in any way, you have to:

Solution: Intentionally map a blank value to that specific attribute in the user profile

Does Okta require an Agent to sit in-between Okta to SCIM-enabled app on premises requests?

Solution: Yes, an Okta Provisioning Agent

Which port and which of the: 'http' or SSL enabled connections does Okta recommend?

Solution: Port 443 and http connections

Whenever you make an API call, you will then get back:

Solution: Okta events under '/events' endpoint

In an agentless DSSO (Desktop Single Sign-on) scenario Okta is the one decrypting the Kerberos ticket, finds then the user name, authenticates the user and passes back a session to the browser.

Solution: The statement is valid, but Okta is not the one doing decryption - the browser is doing that

With Okta Retention Policy, App generated data and reporting based on log data older than how many months is automatically removed (not considering the Backup Data)?

Solution: 3 months