If you’re prepping for the Okta Certified Professional Hands-On Configuration Exam for OIE, this page maps every lab on this site to the exam section it covers — using the official structure from the Okta study guide.
The exam has two parts:
- Part I — 15 Discrete Option Multiple-Choice (DOMC) questions, 30 min, knowledge-focused
- Part II — 4 Performance-Based hands-on Use Cases, 120 min — this is what the labs target
The percentages below are pulled verbatim from the official guide.
What is the Okta Certified Professional
The Okta Certified Professional is Okta’s foundational practitioner certification — it validates hands-on competency with the Okta platform across identity lifecycle management, authentication enforcement, and application integration.
The exam covers directory management, group rules, authenticator enrollment policies, global session policies, app authentication policies, and the Okta Integration Network. It’s the baseline credential before moving into Okta Certified Administrator and beyond.
Why I’m pursuing it
I work with Okta daily as an IAM Architect. Certification is less about proving I can configure groups and more about closing the gaps — the exam forces you to get precise about concepts you usually shortcut in practice.
The distinction between an enrollment policy and an authentication policy, for example, is obvious once you’ve built labs that isolate each one. That kind of precision matters when you’re designing access models for real deployments.
The approach
I’m running all labs in a dedicated test tenant with a CERT object prefix to keep things clean. Each lab maps directly to an exam use case from the official hands-on guide. I document the steps, the underlying concept, and a DOMC drill so the exam logic sticks.
The pattern: build it in the tenant, understand why it works, connect it to the exam concept.
Part II — Hands-On Use Cases (the labs)
Account Creation — 25%
Official tasks: create users · create a custom attribute · assign admin roles · update user profiles · create groups · create group rules · assign users to groups.
- Lab: Users, Groups, and App Assignment — build the baseline directory: users, groups, custom profile attributes, a group rule driven by
certWorkerType, plus a Bookmark app and SAML 2.0 integration. - Lab: Admin Roles and Delegated Administration — assign a delegated admin role to a user, then move the role to a group so any member inherits limited admin rights.
Coverage gap: No standalone lab on
Update user profiles— touched lightly inside the users/groups lab.
Application Setup with OIN — 30%
Official tasks: add an app integration from the Okta Integration Network · set up inbound SAML · set up lifecycle management · assign a group to the application · verify a user can access the application.
- Lab: SAML — Okta as IdP, IAMShowcase as SP — full inbound SAML federation against a real Service Provider (IAMShowcase), assigned to a group, verified end-to-end.
- Lab: Okta-to-Okta Inbound SAML Federation — the inverse seat: Org2 acts as SP and consumes a SAML assertion via an Inbound SAML IdP, with JIT provisioning, automatic account linking, and end-to-end System Log validation.
Coverage gap: No standalone lab on
Set up lifecycle management(SCIM provisioning) — on the queue.
Security Enforcement — 25%
Official tasks: add and remove authenticators · configure enrollment options for authenticators · create a Global session policy rule · define an authentication policy and rule.
- Lab: Authenticator Enrollment — configure an authenticator enrollment policy to enforce MFA for a specific group, validate via system log.
- Lab: Global Session Policy — write a global session policy rule and confirm behavior.
Coverage gap: No standalone lab on
Define an authentication policy and ruleat the app level (distinct from global session policy) — on the queue.
Attribute Mapping and Offboarding — 20%
Official tasks: define attribute mappings to push attributes from Okta to an application · deactivate a user · verify a user is deactivated.
- Lab: Attribute Mapping and SAML Assertion Validation — push profile attributes through a SAML assertion and prove the change propagates without caching.
- Lab: User Lifecycle States — Suspend, Password Reset, Deactivate — walk a user through Active → Suspended → Password Reset → Deactivated, observe the auth behavior at each step.
Part I — Knowledge Domains (the DOMC half)
The labs above are built for Part II, but they also surface knowledge that maps cleanly to Part I. This section is study-aid orientation, not a substitute for reading the docs.
Identity and Access Management — 20%
- SSO Federation (SAML / WS-FED / OIDC; IdP vs SP-initiated flows) — SAML reps via IAMShowcase lab, the Okta-to-Okta inbound lab, and the SAML 2.0 setup in users/groups/apps.
- Single Directory Integration (Active Directory) — knowledge-only on this site so far; read the AD integration prerequisites.
User Lifecycle Management — 27%
- Okta as a Directory (Universal Directory; custom attributes, mappings, transformations) — covered by users/groups/apps (custom attributes + group rules) and attribute mapping.
- Provisioning (user states, app assignments, automations) — covered by user lifecycle states.
Security — 27%
- Basic MFA (authenticators, factor types, enrollment, reset) — covered by authenticator enrollment.
- Policies (Okta policy types and functions) — covered by global session policy.
- Devices, Passwordless, Okta FastPass — knowledge-only on this site so far.
Administration and Troubleshooting — 27%
- Logging and Reporting (System Log, reports, Tasks dashboard) — every lab on this list ends with a System Log verification step. The pattern is consistent and intentional.
- Customer Support Practices — out of scope for hands-on labs; review Okta Status Page and the Okta Help Center.
Exam Logistics (from the official guide)
- Part I: 15 DOMC questions · 30 min
- Part II: 4 hands-on use cases · 120 min
- No break between parts
- Fee: USD 250 (USD 100 for retakes)
- Proctoring: ProctorU by Meazure Learning
How this fits the AI Security Competency Matrix
This cert is also the IAM evidence layer for my AI Security Competency Matrix — Domain 1. Identity is the substrate every AI access-control conversation runs on top of, and the labs here are the proof-of-work for it.
If you’re using these labs to study, the official Okta study guide is the source of truth for what’s tested. This page is a navigation layer over my work.