Configure dynamic routing rules

Dynamic routing rules work like standard routing rules, except they aren’t bound to specific Identity Providers (IdPs). They use Expression Language to match users to any IdP, based on the attributes of their login object.

When a user signs in, one rule is evaluated at a time until there’s a match. Evaluating hundreds of rules can slow the sign-in experience for users. With dynamic routing rules, you don’t need a separate rule for every IdP. You can consolidate multiple rules with the same conditions into a single dynamic routing rule.

Before you begin

The most common use case is to dynamically route to an IdP by domain. To do this, add at least one IdP, and be sure that its name matches the domain. For example, if you want users with email addresses like user.name@yourorg.com to route to the same IdP, name the IdP yourorg.com.

If you want to route users based on an IP address, define at least one network zone. See Network Zones.

Add a rule

  1. In the Admin Console, go to Security > Identity Providers.
  2. On the Routing Rules tab, click Add Routing Rule.
  3. Enter a Rule Name. Consider using a name that identifies this rule as dynamic.
  4. Configure the routing conditions.
    IF User's IP isSelect network zones. You can sort by zones defined or not defined in Okta, or configure specific zones.
    AND User's device platform isSelect any combination of mobile and desktop devices. Note that iOS devices may bypass your iOS routing rules. See Configure a routing rule for macOS devices.
    AND User is accessingEnter the name of an application or app instance.
    AND User matchesSelect which login attributes the user must match.
    • Anything includes all users.
    • Regex on login allows you to enter any valid regular expression based on the user login to use for matching. This is useful when specifying the domain or a user attribute isn’t sufficient for matching. For example, .*\+devtest@company.com matches logins for the domain @company.com but only if +devtest is included before the @ sign.
    • Domain list on login specifies a list of the domains to match (without the @ sign); for example, mytest.com. It isn't necessary to escape any characters (which is required when using a regular expression).
    • User attributes specify an attribute name, a type of comparison, and a value to match. If you choose Regex for the type of comparison, you must enter a valid regular expression for the value. For example, (Human Resources|Engineering|Marketing) for the Department attribute in your Okta user schema.
    THEN Use this identity providerSelect Dynamically match to an IdP.
    Match IdP name toSelect the default string or enter your own custom expression. The default String.substringAfter(user.login,"@") automatically maps to the domain name in a user's email address (everything after the @ sign).
  5. Click Create Rule, and then indicate whether you want to activate the rule immediately.

Test a dynamic rule

Your new rule is automatically sorted after other routing rules (but before the default catch-all rule). If your new dynamic routing rule replaces standard rules, test it by disabling those standard rules and signing in with a valid username. Don’t delete any rules until you verify that the dynamic rule works.

Related topics

Identity Provider routing rules

Identity Providers