Which Okta component is the single source of truth for users, groups and devices?

Correct: b. Universal Directory is the centralized data layer and single source of truth for users, groups and devices, sourcing and mastering profiles from AD, LDAP and HR.

What does Okta's 'org' represent?

Correct: c. An org is Okta's tenant — a private container of users, policies and app connections with its own unique URL (subdomain). The default is one org per company.

A user starts from their Okta dashboard and clicks an app tile to sign straight in. Which SSO variant is this?

Correct: b. Starting at the Okta dashboard and being signed into the app is IdP-initiated SSO — Okta posts the assertion to the SP without the SP sending a request first.

Why can one Okta login give a user access to many different apps?

Correct: d. The architecture's whole point: apps connected through the OIN trust the same Okta org as their identity provider, so one authentication is asserted to each app — sign in once, reach many apps.

You are building a modern mobile app and an API and need SSO with tokens for API calls. Which protocol fits best?

Correct: c. OIDC, built on OAuth 2.0, is the best fit for modern web, mobile and API-driven apps: the ID token authenticates the user and the access token authorizes API calls. SAML suits traditional web-app SSO.

An interviewer asks the single biggest difference between SAML and OIDC. Best answer?

Correct: a. SAML uses a signed XML assertion posted to the app's ACS URL; OIDC, built on OAuth 2.0, issues a JSON ID token for authentication and an access token for authorization — different formats and best-fit apps.

Okta Architecture & SSO — Universal Directory, SAML vs OIDC & How Single Sign-On Works (2026)

Q: In an Okta SSO login, which statement is correct?

Correct: c. Okta is the identity provider (IdP). The app (the service provider) trusts Okta to authenticate the user and vouch for them, so the app itself never stores or sees the password.

Q: You must import on-prem AD users into Okta without opening inbound firewall ports. What do you use?

Correct: a. The lightweight Okta AD/LDAP agent makes only an outbound HTTPS connection to Okta, so it imports users and runs delegated auth without any inbound ports being opened.

Q: In an SP-initiated SAML flow, where does Okta send the signed assertion?

Correct: d. Okta posts the signed SAML assertion to the app's Assertion Consumer Service (ACS) URL, carried by the browser. The app validates the signature against Okta's certificate and creates a session.

Most engineers think…

Most people picture Okta as 'a login box' or 'a password manager'. That mental model falls apart the moment an interviewer asks you to draw the SSO flow.

Okta is a cloud identity provider (IdP): a per-customer org (tenant) that holds Universal Directory — the single source of truth for users, groups and devices, sourced and mastered from AD, LDAP and HR. It connects to apps through the Okta Integration Network (OIN) and, for each login, speaks a standard SSO protocol — SAML 2.0 or OIDC — to vouch for the user so the app never sees the password. Understanding that split — directory, org, app connections, and the redirect/assertion flow — is what lets you design SSO and answer the interview cleanly.

① What Okta actually is — the cloud identity provider

The single most important idea: Okta is one cloud identity provider (IdP) that sits between your people and every app. The app trusts Okta to answer one question — who is this user, and have they signed in? — so the app itself never stores or sees the password.

Every customer gets an org, which is Okta's word for a tenant. Your org has its own URL (your subdomain, e.g. acme.okta.com) and holds everything: the directory, the policies and the app connections. Around that org sit three things you must be able to name — the Universal Directory (who your users are), the Okta Integration Network (which apps you connect to), and the SSO protocols (SAML and OIDC) that carry the proof of identity to each app.

Figure 1 — The Okta SSO loop — request, redirect, authenticate, assert, access

Every Okta SSO login runs the same five-step loop with Okta as the IdP and the app as the SP.

Quick check · Q1 of 10 · Understand

In an Okta SSO login, which statement is correct?

a) The app stores the password and Okta just logs itb) Okta is the service provider and the app is the IdPc) Okta is the identity provider; the app trusts it and never sees the passwordd) Okta and the app both prompt for the password

Correct: c. Okta is the identity provider (IdP). The app (the service provider) trusts Okta to authenticate the user and vouch for them, so the app itself never stores or sees the password.

👉 So far: Okta = one cloud identity provider (IdP). The app trusts Okta to say who the user is, so the app never sees the password. Each customer gets an org (tenant) with its own URL.

② Universal Directory and the org — the single source of truth

The Universal Directory (UD) is the centralized data layer of the whole platform: the single source of truth for users, groups and devices. Each user is a profile made of attributes you can customize, map and transform with expressions.

Where profiles come from

You rarely type users in by hand. UD sources and masters profiles from your systems of record — Active Directory, LDAP, and HR apps like Workday — and keeps them in sync, so one cloud directory mirrors many sources. The org is the tenant boundary around all of this: one private container, one URL, one set of policies. Larger or customer-facing estates may run a multi-tenant design with several orgs, but the default is one org per company.

Figure 2 — The Okta org stack — directory, policy, apps

One org (tenant) holds Universal Directory at the base, policies in the middle and app connections on top.

☁️

Identity provider (IdP)

tap to flip

Okta is the IdP — it authenticates the user and vouches for them to apps. The app (SP) trusts Okta and never sees the password.

📒

Universal Directory

tap to flip

The single source of truth for users, groups and devices. Profiles are sourced and mastered from AD, LDAP and HR, then kept in sync.

🏢

Org (tenant)

tap to flip

Your private container of all identity data with its own URL (subdomain). One org per company by default; multi-org for larger or CIAM estates.

🔌

AD / LDAP agent

tap to flip

A lightweight on-prem agent with an outbound-only HTTPS link to Okta. It imports users and does delegated auth — no inbound firewall ports.

Separate the directory from the protocol

In an interview, keep two layers distinct: Universal Directory answers 'who are the users and where do they come from' (AD/LDAP/HR), while SAML/OIDC answer 'how do we prove that user to an app'. Mixing them up is the most common stumble.

Quick check · Q2 of 10 · Remember

What is the single source of truth for users, groups and devices in Okta?

a) The Okta Integration Networkb) Universal Directoryc) The SAML assertiond) The AD agent

Correct: b. Universal Directory is the centralized data layer — the single source of truth for users, groups and devices — which can source and master profiles from AD, LDAP and HR.

👉 So far: Universal Directory is the single source of truth for users, groups and devices — profiles sourced and mastered from AD, LDAP and HR. The org is the private tenant container around it.

③ Connecting apps — the OIN and the directory agents

Okta connects to apps through the Okta Integration Network (OIN) — a catalog of 7,000+ pre-built app integrations. Instead of wiring each app by hand, you pick it from the OIN and Okta sets up SSO with the right protocol (SAML, OIDC or the older password-replay SWA). This is the 'hub' that makes one login reach every app.

Bridging on-prem directories

To pull users out of on-prem AD or LDAP, Okta uses a lightweight agent you install behind your firewall. It makes only an outbound HTTPS connection to Okta — so you never open inbound ports. The agent does two jobs: import users and groups into UD, and delegated authentication, where Okta forwards the password check to your AD/LDAP so credentials stay on-prem. The interview line: OIN connects apps; the AD/LDAP agent connects your old directory — both without exposing your network.

Figure 3 — One Okta org, every app

Apps from the OIN all trust the same Okta org, so one sign-in reaches every connected app.

'Okta is just a password manager' under-sell

A password manager stores secrets and replays them. Okta is an IdP: it authenticates the user once and issues a signed SAML assertion or OIDC ID token so the app trusts Okta directly. Always answer with IdP-to-SP trust, not password replay.

Quick check · Q3 of 10 · Apply

You must import on-prem AD users into Okta without opening inbound firewall ports. What do you use?

a) The Okta AD agent (outbound HTTPS only)b) A SAML assertionc) An IdP-initiated flowd) An OIDC access token

Correct: a. The lightweight Okta AD/LDAP agent makes only an outbound HTTPS connection to Okta, so it imports users and runs delegated auth without any inbound ports being opened.

👉 So far: The OIN (7,000+ pre-built integrations) connects apps via SAML/OIDC/SWA; the lightweight AD/LDAP agent connects on-prem directories over outbound-only HTTPS — no inbound ports.

④ How SSO actually works — SAML vs OIDC, redirect and assertion

In SSO, Okta is the identity provider (IdP) and the app is the service provider (SP). The browser does all the carrying — the SP never talks to Okta directly. In an SP-initiated SAML flow: the user hits the app, the app redirects the browser to Okta with a SAML request, the user authenticates at Okta, and Okta posts a signed SAML assertion back to the app's ACS URL. The app validates the signature and creates a session. In IdP-initiated, the user starts from the Okta dashboard and Okta posts the assertion straight to the SP — no SP request first.

SAML vs OIDC

SAML 2.0 carries an XML assertion and is the classic web-app SSO standard. OIDC is built on OAuth 2.0 and carries a JSON ID token (who the user is) alongside an access token (what they may call). Rule of thumb: SAML for traditional web apps, OIDC for modern web, mobile and API-driven apps. Remember the split — OIDC/OAuth2 do authentication vs authorization; SAML bundles authentication into one signed assertion.

Figure 4 — SAML 2.0 vs OIDC for SSO

Same goal — prove who the user is — but different tokens, formats and best-fit apps.

Figure 5 — SP-initiated SAML SSO, step by step

The browser carries every hop; Okta posts a signed assertion to the ACS and the app creates the session.

Priya, an IT admin at a Pune SaaS firm, faces this

She connects a new vendor app to Okta over SAML, but every sign-in fails with an 'invalid SAML response' error at the app.

Likely cause

The app's ACS URL and the signing certificate on the Okta side don't match what the app expects — and the audience (entity ID) is wrong.

Diagnosis

Open the Okta app's Sign On settings and the app's SAML config side by side — the ACS URL, audience URI and the IdP signing certificate must agree on both ends.

Okta Admin ▸ Applications ▸ (app) ▸ Sign On ▸ SAML settings

Fix

Set the correct ACS (Single Sign-On) URL and audience URI, upload Okta's current IdP signing certificate into the app, then re-test the SP-initiated flow.

Verify

Re-test: the browser redirects to Okta, the user authenticates, the signed assertion posts to the ACS and the app creates a session — login succeeds.

Prove SSO from the assertion, not a hunch

Never close an SSO ticket on 'should work'. Capture the SAML response (or decode the ID token) and check the audience, the ACS URL and that the signature validates against Okta's certificate. That single read answers most SSO failures.

▶ Watch one user single-sign-on into Salesforce via Okta

How an SP-initiated SAML login is brokered end-to-end. Press Play for the healthy path, then Break it to see the classic failure.

① Hit appThe user opens Salesforce (the service provider) and has no active session there yet.

▼

② Redirect to OktaSalesforce generates a SAML request and redirects the browser to the Okta org (the IdP).

▼

③ AuthenticateOkta verifies the user against Universal Directory and builds a signed SAML assertion about them.

▼

④ Assert + accessOkta posts the signed assertion to the Salesforce ACS URL; Salesforce validates it and logs the user in.

Press Play to step through the healthy SSO path. Then press Break it.

Quick check · Q4 of 10 · Analyze

In an SP-initiated SAML flow, where does Okta send the signed assertion?

a) Straight into Active Directoryb) To the OAuth token endpointc) Nowhere — the app reads it from Okta directlyd) To the service provider's ACS URL via the browser

Correct: d. Okta posts the signed SAML assertion to the app's Assertion Consumer Service (ACS) URL, carried by the browser. The app validates the signature against Okta's certificate and creates a session.

👉 So far: SP-initiated SAML: app redirects to Okta, user signs in, Okta posts a signed assertion to the ACS. SAML carries an XML assertion; OIDC (on OAuth 2.0) carries a JSON ID token.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: why is Okta called an 'identity provider' rather than a 'password manager'? Then compare with the expert version.

Expert version: Because Okta authenticates the user itself and then issues a signed proof of identity — a SAML assertion or an OIDC ID token — that the app (the service provider) trusts directly. A password manager merely stores and replays secrets into login forms; Okta establishes a trust relationship so the app never handles the password at all. The user's profile lives in Universal Directory (sourced from AD/LDAP/HR), the org is the tenant boundary, the OIN connects the apps, and for each login the browser carries a redirect to Okta and a signed assertion back to the app's ACS. That IdP-to-SP trust, not credential replay, is what makes it single sign-on.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Okta at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

Identity provider (IdP): The system that authenticates the user and vouches for them to apps. Okta is the IdP; the app trusts it and never sees the password.
Service provider (SP): The application the user wants to reach. It trusts the IdP's signed assertion or token instead of checking the password itself.
Universal Directory (UD): Okta's centralized data layer — the single source of truth for users, groups and devices, sourced and mastered from AD, LDAP and HR.
Org (tenant): A private per-customer container of all identity data with its own unique URL (subdomain). One org per company by default.
Okta Integration Network (OIN): A catalog of 7,000+ pre-built app integrations that connect apps to Okta using SAML, OIDC or SWA.
AD / LDAP agent: A lightweight on-prem agent with an outbound-only HTTPS link to Okta that imports users and runs delegated authentication — no inbound firewall ports.
SAML 2.0: An XML-based SSO standard where the IdP posts a signed assertion to the app's ACS URL; classic for traditional web apps.
OIDC / OAuth 2.0: OAuth 2.0 handles authorization (access token); OIDC adds authentication (a JSON ID token). Best for modern web, mobile and API apps.
ACS (Assertion Consumer Service): The app endpoint where Okta posts the SAML response; the app validates it against Okta's signing certificate.
SP-initiated vs IdP-initiated: SP-initiated starts at the app (it redirects to Okta); IdP-initiated starts at the Okta dashboard (Okta posts the assertion to the app).

📚 Sources

Okta Developer — Understanding SAML (SP-initiated vs IdP-initiated, the ACS and the assertion). developer.okta.com/docs/concepts/saml/
Okta Developer — OAuth 2.0 and OpenID Connect overview (ID token vs access token, OIDC for SSO). developer.okta.com/docs/concepts/oauth-openid/
Okta — Centralize identity management with Universal Directory (profiles, sourcing from AD/LDAP/HR). okta.com/products/universal-directory/
Okta — Okta Integration Network: 7,000+ pre-built app integrations (SAML/OIDC/SWA). okta.com/solutions/okta-integration-network/
Okta — Okta Directory Integration: an architecture overview (AD agent, outbound HTTPS, delegated auth, import). okta.com/resources/whitepaper/ad-architecture/
Okta Developer — Multi-tenant solutions and the org model. developer.okta.com/docs/concepts/multi-tenancy/

What's next?

Got the architecture and SSO flow? Next, go deep on the policy layer that decides whether a login is allowed at all — MFA and adaptive, risk-based access policies — and separately on lifecycle management, SCIM provisioning and API Access Management.

Next · All interview lessons → Practice on exam.techclick.in →

Okta Architecture & SSO — Universal Directory, SAML vs OIDC & How SSO Works

🎯 By the end you will be able to

Pick where you want to start

What Okta is

Directory & org

Apps & agents

SSO flows

① What Okta actually is — the cloud identity provider

② Universal Directory and the org — the single source of truth

Where profiles come from

③ Connecting apps — the OIN and the directory agents

Bridging on-prem directories

④ How SSO actually works — SAML vs OIDC, redirect and assertion

SAML vs OIDC

▶ Watch one user single-sign-on into Salesforce via Okta

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?