Configure identity provider routing rules

Configure routing rules for each of your identity providers (IdPs) or for different combinations of user criteria. The default rule specifies Okta as the IdP, and it applies to any user who doesn't meet the conditions of your routing rules.

To create routing rules that aren't bound to a specific IdP, see Configure dynamic routing rules.

Before you begin

Before you add routing rules, you need to configure the Okta IWA Web agent and at least one more IdP (social IdPs are accepted). See Add a SAML 2.0 IdP and Generic OpenID Connect.

If you want to prompt users for their Okta username and password on the same page as your list of available IdPs, configure your Okta sign-on policy so that users establish a session with Password / Any IdP. This combination is recommended for your rules that offer Okta as an IdP or if you intend to prioritize the default routing rule.

IdP Discovery on ChromeBook only supports the Okta IdP and third-party IdPs that have announced support for ChromeBook. Okta Mobile isn't supported for use with IdP Discovery.

If you want to route users based on an IP address, define at least one network zone. See Network zones.

Add a rule

  1. In the Admin Console, go to SecurityIdentity Providers.
  2. On the Routing Rules tab, click Add Routing Rule.
  3. Enter a Rule Name.
  4. Configure the routing conditions.
    IF User's IP isSelect a network zone.
    AND User's device platform isSelect any combination of mobile and desktop devices.

    iOS devices may bypass your iOS routing rules. See Configure a routing rule for macOS devices.

    AND User is accessingTo add an application or app instance, start typing the application name. A list of all matching apps appears.
    AND User matchesSelect which login attributes the user must match.
    • Anything includes all users.
    • Regex on login allows you to enter any valid regular expression based on the user login to use for matching. This is useful when specifying the domain or a user attribute isn't sufficient for matching. For example, .*\+devtest@company.com matches logins for the domain @company.com but only if +devtest is included before the @ sign.
    • Domain list on login specifies a list of the domains to match (without the @ sign); for example, mytest.com. It isn't necessary to escape any characters (which is required when using a regular expression).
    • User attributes specify an attribute name, a type of comparison, and a value to match. If you choose Regex for the type of comparison, you must enter a valid regular expression for the value. For example, enter (Human Resources|Engineering|Marketing) for the Department attribute in your Okta user schema.
    THEN Use this identity providerSelect the IdP to use when all the conditions are met.
  5. Click Create Rule, and then indicate whether you want to activate the rule immediately.

Configure a routing rule for macOS devices

Due to a change in the way that Safari reports device user agents, Okta can't differentiate between app requests that come from macOS devices and those that come from Safari on iPadOS devices.

To prevent iPadOS devices from bypassing iOS policies, configure a Deny/Catch-All routing rule that applies to macOS and iPadOS devices. To prevent your macOS app routing rules from evaluating iPadOS device users, inform these users that they must do one of the following options.

  • Option 1: All websites accessed from Safari (iPadOS 13 and higher). In iPad settings, go to Safari settings > Request Desktop Website, and then turn off the All Websites setting.
  • Option 2: Per-website basis. Open Safari, tap Aa on the left side of the search field, and then tap Request Mobile Website.
  • Option 3: Access the target app through the Native App or Okta Mobile.

Related topics

Identity Provider routing rules

Modify routing rules

Identity Providers

Configure dynamic routing rules