Why identity is the perimeter now — and why Okta credentials matter

The shift to zero-trust architecture has moved the security perimeter from the network edge to the identity layer. When every application is SaaS, every user is remote, and every device is unmanaged, the question “who is this, and should they have access?” is decided by the identity platform — not by a firewall. Okta is the dominant workforce identity platform in that world. More than 19,000 organisations use Okta to manage single sign-on, multi-factor authentication, and user lifecycle for their employees, contractors, and partners. When an organisation buys Okta, they need people who can configure it, integrate it with the rest of the stack, and enforce policy correctly.

That is where the Okta Certified Professional fits. It is the first rung of Okta’s four-tier certification track and the credential that demonstrates you can administer an Okta org at a foundational level: onboard users from an HR system, connect applications via SAML or OIDC, configure adaptive MFA policies, and troubleshoot common authentication failures. Unlike vendor-neutral IAM certs (which test concepts but not operational skills), the OCP tests actual Okta platform configuration — you need to know where the setting lives in the Okta Admin Console and what the consequence of each option is.

Demand for Okta skills has grown with enterprise zero-trust adoption. The 2025 State of Identity report found that 78% of enterprises were actively expanding their IAM programme, and Okta administrator roles grew by 34% year-over-year in 2025 job postings. The OCP is the fastest signal to hiring managers that a candidate can operate the platform on day one.

Exam format and logistics

The Okta Certified Professional exam is delivered online through Kryterion’s Webassessor platform or in-person at an authorised test centre. The exam consists of approximately 60 multiple-choice questions with a 90-minute time limit. Questions are scenario-based: a business requirement is described and you select the correct Okta configuration, policy setting, or troubleshooting step. Passing score is approximately 70%, though Okta does not publish the exact scaled cut score.

Exam quick facts

Exam: Okta Certified Professional  ·  Questions: ~60 MCQ  ·  Time: 90 minutes  ·  Passing score: ~70%  ·  Cost: $125 USD  ·  Delivery: Kryterion Webassessor (online proctored or test centre)  ·  Prerequisites: None  ·  Validity: 2 years

Okta recommends that candidates have hands-on experience administering an Okta org before sitting the exam. This can come from Okta’s own free developer org (available at developer.okta.com), from the Okta Learning Portal training courses, or from real-world administration of a production Okta environment. The exam is scenario-focused enough that candidates who have only read documentation without hands-on practice will struggle — understanding where a setting is configured matters as much as knowing what it does.

Maintaining the OCP requires renewal every two years, either by retaking the exam or by completing Okta’s continuing education credits through the Okta Learning Portal. Candidates who advance to Okta Certified Administrator (OCA) do not need to maintain the OCP separately — the OCA supersedes it in the Okta certification hierarchy.

What the OCP tests: the six domain areas

Okta does not publish a granular percentage breakdown for the OCP, but the exam consistently draws from six core subject areas that map to the key administrative tasks in every Okta deployment.

Domain 1 — Okta Org and Admin Console

The foundational layer that all other configuration depends on. A candidate must understand the difference between production and preview orgs, how to navigate the Admin Console, and how org-level settings affect the entire tenant. This domain covers:

  • Admin Console navigation: The dashboard, Security menu, Directory, Applications, Reports, and Settings sections — and which tasks live where. The exam tests whether you know to find password policy settings under Security → Authentication, not under the directory.
  • Admin roles: Okta’s built-in administrator roles (Super Administrator, Org Administrator, Application Administrator, Read-Only Administrator, Help Desk Administrator, Report Administrator, Group Administrator, and Custom Admin Roles) and the principle of least privilege. The exam tests which role can perform a specific task without granting unnecessary access.
  • Org-level customisation: Custom domains (your own branded login URL via the Custom Domain feature), the Okta Sign-In Widget (customising the hosted login page with CSS and JavaScript), email templates for activation and password reset messages, and the end-user dashboard (the Okta home page where users launch their applications).
  • System Log: The Okta System Log is the audit trail for all activity in the org. The exam tests how to query the System Log for specific events (failed login attempts, policy evaluations, provisioning actions) and how to interpret the event structure for troubleshooting.

Domain 2 — Users and User Management

User management covers the complete lifecycle from initial provisioning to deactivation and deletion. Okta separates the concepts of Universal Directory (the identity store), user profiles (the attributes on each user object), and profile sourcing (which system is authoritative for which attributes).

  • Universal Directory: Okta’s cloud directory that stores users, groups, and devices. Profile attributes are configured in the Universal Directory — both Okta default attributes and custom attributes defined by the admin. The exam tests how to add a custom attribute, set its data type, and make it visible to end users or app integrations.
  • User states: Okta users move through a lifecycle state machine: Staged (created but not yet activated), Pending User Action (activation email sent), Active, Password Reset (force reset on next login), Locked Out, Suspended, and Deprovisioned. The exam tests which action transitions a user between states and what the user experiences at each stage.
  • Profile sourcing: When Okta is connected to an upstream source of truth (Active Directory, HR system, or another IdP), the source controls specific profile attributes. The “Profile Master” concept determines which attribute values can and cannot be edited in Okta. The exam tests what happens when a profile source update conflicts with a manually edited Okta attribute.
  • Importing users: Bulk import from CSV, import from Active Directory via the Okta AD Agent, and just-in-time (JIT) provisioning via SAML assertion during first login. Each import method has different use cases and different attribute-mapping behaviour.

Domain 3 — Groups and Group Rules

Groups in Okta are the primary mechanism for controlling application access, policy assignment, and provisioning scope. Understanding how groups are created, populated, and evaluated is central to operating Okta efficiently at scale.

  • Group types: Okta groups (manually managed), Active Directory groups (synced from AD, read-only in Okta), and Application groups (created by Okta when provisioning to apps like Salesforce or Google Workspace). The exam tests which type of group can be used for each purpose and which cannot be modified in Okta directly.
  • Group rules: Dynamic group membership based on user profile attributes using Okta Expression Language. A rule like user.department == "Engineering" automatically adds matching users to the Engineering group. Group rules are evaluated whenever a user’s profile changes. The exam tests how to write simple expressions, what happens when a rule conflicts with manual membership, and how to debug a rule that is not matching expected users.
  • Okta Expression Language: A lightweight expression syntax for evaluating user profile attributes. Basic operators (==, !=, &&, ||), string functions (String.len(), String.stringContains()), and array functions are testable. The OCP tests simple expressions; the Okta Certified Administrator exam tests more complex transformations.
  • Group-based access control: Assigning application access to groups rather than individual users. The exam tests the operational difference between assigning an app to a group versus assigning it to every user individually, and how group assignment interacts with provisioning.

Domain 4 — Applications and SSO Integration

Application integration is the most operationally intensive part of Okta administration and receives the heaviest weighting on the OCP. Okta’s Application Integration Network (AIN) contains pre-built connectors for thousands of SaaS applications, but administrators must still configure the integration correctly for each deployment.

  • SAML 2.0: Security Assertion Markup Language is the dominant SSO protocol for enterprise SaaS. The SP-initiated flow (user clicks a bookmark, gets redirected to the SP, which redirects to Okta, which issues a SAML assertion, which the SP validates and logs the user in) versus the IdP-initiated flow (user clicks a tile on the Okta dashboard, Okta sends an unsolicited assertion directly to the SP). The exam tests the roles of the Assertion Consumer Service (ACS) URL, the Entity ID, the signing certificate, and the attribute statements. Diagnosing a SAML SSO failure using the SAML Tracer browser extension and the System Log is explicitly tested.
  • OIDC / OAuth 2.0: OpenID Connect is the modern protocol used by web and mobile applications built on OAuth 2.0. The exam tests the difference between SAML and OIDC at a conceptual level: SAML passes identity via signed XML assertions, OIDC passes identity via signed JSON Web Tokens (JWTs). For the OCP, candidates must understand authorization code flow (the standard web app flow), the role of the Client ID and Client Secret, and how to configure redirect URIs. Token inspection and the concept of scopes and claims are also testable.
  • Secure Web Authentication (SWA): Okta’s legacy credential injection mechanism for applications that do not support SAML or OIDC. Okta stores the user’s username and password and auto-fills the login form using a browser plugin. The exam tests when SWA is the appropriate choice and its security limitations compared to federated SSO.
  • Application assignment: Assigning apps to users directly, to groups, or via automated rules. Understanding the difference between “Assign to Everyone” and “Assign to Group”, and the impact on provisioning (apps with provisioning enabled will attempt to create an account in the target system when a user is assigned).

Domain 5 — Authentication Policies and MFA

Okta’s policy engine controls the authentication experience — who is required to use MFA, under what conditions, and with which factors. This domain maps directly to zero-trust enforcement: the policy decides whether a given authentication attempt represents sufficient assurance to grant access.

  • Authenticator factors: Okta Verify (TOTP and push notification), Google Authenticator (TOTP), SMS and voice call (increasingly restricted by enterprise policy due to SIM-swapping risk), email magic links, hardware security keys (FIDO2/WebAuthn), smart cards, and biometrics. The exam tests the assurance level of each factor and Okta’s own factor strength classification (Knowledge, Possession, Biometric).
  • Authentication policies: Previously called Sign-On Policies, authentication policies define rules that evaluate context — group membership, device trust state, network zone, risk score — and determine the required authenticator. The exam tests how to configure a policy that requires phishing-resistant MFA (FIDO2) for admin access but allows push-to-approve for standard users inside the corporate network.
  • Network zones: Okta network zones define IP address ranges that Okta evaluates during authentication. An “internal” zone can be configured with corporate office IP ranges, enabling policy rules that require less friction for users on the corporate network. Dynamic Zones use Okta’s threat intelligence to flag known malicious IP ranges automatically.
  • Adaptive MFA and risk-based authentication: Okta’s ThreatInsight feature analyses login behaviour (impossible travel, risky IP, unusual device) and adjusts the authentication challenge accordingly. The exam tests how ThreatInsight interacts with authentication policy rules and what administrators can configure versus what is handled automatically by the risk engine.
  • Password policies: Complexity requirements, minimum length, history (preventing reuse of previous passwords), lockout settings after failed attempts, and expiry. The exam tests which policy applies when a user is in multiple groups with different password policies (the most restrictive policy wins).

Domain 6 — Provisioning and Lifecycle Management

Provisioning is the process of automatically creating, updating, and deactivating accounts in downstream applications based on the user’s Okta state. Well-configured provisioning eliminates manual IT tickets for onboarding and offboarding and is the primary business case for Okta at scale.

  • SCIM provisioning: System for Cross-domain Identity Management is the API standard that Okta uses to push user account changes to SCIM-compatible SaaS applications (Slack, Salesforce, Google Workspace, ServiceNow, and many others). SCIM supports Create, Read, Update, and Deactivate (not Delete — applications rarely delete records). The exam tests the SCIM lifecycle operations and how to troubleshoot a provisioning failure using the System Log provisioning events.
  • Provisioning features per application: Each app integration that supports provisioning exposes a different subset of features: Create Users (create an account in the app when a user is assigned), Update User Attributes (sync profile changes to the app), Deactivate Users (suspend or deactivate the app account when the Okta user is deactivated), Sync Password (push the user’s Okta password to the app). The exam tests which features to enable for specific business requirements.
  • HR-driven provisioning: Connecting Okta to an HR system (Workday, BambooHR, SAP SuccessFactors, ADP) as the authoritative source for new hires and terminations. When a new employee record appears in the HR system, Okta creates the user, assigns the appropriate groups and applications based on the job role, and can trigger welcome emails — all before the employee’s first day. The exam tests the HR source configuration and the attribute-mapping logic that determines which Okta attributes are sourced from HR fields.
  • Offboarding: When a user is terminated in the HR system, the provisioning flow should deactivate the Okta account, which cascades to deactivating all provisioned app accounts via SCIM. The exam tests the sequence of events in a termination scenario and which applications are deactivated automatically versus which require manual action.

The Okta certification path: OCP to OCA to OCC

Okta’s four-tier certification hierarchy

  • Okta Certified Professional (OCP) — Entry level, no prerequisites, $125 USD, ~60 questions, 90 minutes. Targets IT administrators and help desk staff who manage day-to-day Okta operations: user onboarding, application access, basic MFA policy, and common troubleshooting. Salary range: $85k–$115k for Okta admin roles; $100k–$140k for IAM engineer roles where the OCP is a baseline requirement.
  • Okta Certified Administrator (OCA) — Intermediate level, OCP prerequisite recommended (not hard-required), $200 USD, ~65 questions, 90 minutes. Tests advanced authentication policy, full provisioning configuration, Okta Workflows (no-code automation), group-based access control at scale, and cross-org federation. For system administrators who own the Okta platform rather than just operating it. Salary range: $110k–$145k.
  • Okta Certified Consultant (OCC) — Practitioner level, targets professional services engineers and architects who design and implement Okta solutions at client organisations. Includes a design scenario component. $300 USD. Salary range: $130k–$165k.
  • Okta Certified Developer (OCD) — Developer-track certification covering the Okta SDKs, Authentication API, Management API, and Okta’s OIDC server for custom applications. Separate track from the administrator path; does not require the OCP. $200 USD. Salary range: $130k–$165k for identity-focused full-stack engineers.
The OCP is not a “checkbox” cert. Hiring managers in IAM know that anyone who has genuinely administered Okta for a real organisation will find the OCP straightforward — and anyone who hasn’t will struggle to bluff scenario questions about policy evaluation and provisioning edge cases.

OCP vs SC-300 vs Ping Identity: which identity cert should you pursue?

The identity certification landscape in 2026 reflects the fragmentation of the IAM vendor market. Organisations use one of a handful of major platforms — Okta, Microsoft Entra ID, Ping Identity, CyberArk, or SailPoint — and the most valuable cert is the one that matches your organisation’s stack. There is no meaningful vendor-neutral identity cert that has achieved the recognition of CompTIA Security+ in the security space or AWS SAA-C03 in the cloud space.

Microsoft SC-300 (Identity and Access Administrator Associate) tests Microsoft Entra ID, Conditional Access, Lifecycle Workflows, and Entra ID Governance. It is the right choice for organisations on the Microsoft 365 and Azure stack. At organisations using both Microsoft and Okta (common in large enterprises where Okta federates into Entra ID), holding both the OCP and SC-300 is a material advantage — you can configure the Okta-to-Entra ID integration correctly at both ends. SC-300 costs $165 USD and has a 700/1000 passing score.

Ping Identity does not currently maintain a widely adopted public certification program. Ping skills are typically validated through employer-specific training rather than a recognised cert. If your organisation uses Ping, the investment in the OCP may not directly transfer — though the SAML, OIDC, and SCIM concepts learned for the OCP apply across all identity platforms.

For candidates entering the IAM field without a specific platform commitment, the OCP is a sound first choice because Okta’s market share makes it the most commonly requested platform skill in IAM job postings. Pairing it with SC-300 covers the two dominant enterprise identity stacks and positions a candidate for IAM engineer and identity architect roles at organisations of any size.

How to prepare for the OCP

The most important preparation resource is a free Okta developer org. Sign up at developer.okta.com — the developer org is a full Okta tenant with all features enabled, available for free indefinitely, and supports up to 100 users. Candidates who have worked through the exam domains hands-on in a developer org will recognise the scenarios in the exam immediately. The following preparation path covers the OCP in four to six weeks for a candidate with general IT administration experience:

Build your identity and security knowledge with free practice questions on CertQuests — covering Okta, SC-300, CISSP, CySA+, and more.

Start Practising Free