Configure dynamic routing rules
This is an Early Access feature. To enable it, contact Okta Support.
Dynamic routing rules work like standard routing rules, except they aren’t bound to specific Identity Providers (IdPs). They use expression language to match users to any IdP, based on attributes of their login object.
When a user signs in, one rule is evaluated at a time until there’s a match. If you have hundreds or thousands of rules, the evaluation process slows the sign-in experience for your users. With dynamic routing rules, you don’t need to create rules for every IdP. You can consolidate multiple routing rules with the same conditions into a single dynamic routing rule.
Before you begin
The most common use case is to dynamically route to an IdP by domain. To do this, add at least one IdP, and be sure that its name matches the domain. For example, if you want users with email addresses like email@example.com to route to the same IdP, name the IdP yourorg.com.
If you want to route users based on an IP address, define at least one network zone. See Network Zones.
Add a rule
- In the Admin Console, go to Security > Identity Providers.
- On the Routing Rules tab, click Add Routing Rule.
- Enter a Rule Name. Consider using a name that identifies this rule as dynamic.
- Configure the routing conditions.
IFUser's IP is
Select network zones. You can sort by zones defined or not defined in Okta, or configure specific zones.
ANDUser's device platform is
Select any combination of mobile and desktop devices. Note that iOS devices may bypass your iOS routing rules. See Configure a routing rule for macOS devices.
ANDUser is accessing
Enter the name of an application or app instance.
Select which login attributes the user must match.
- Anything includes all users.
- Regex on login allows you to enter any valid regular expression based on the user login to use for matching. This is useful when specifying the domain or a user attribute is not sufficient for matching. For example, .*\+firstname.lastname@example.org matches logins for the domain @company.com but only if +devtest is included before the @ sign.
- Domain list on login specifies a list of the domains to match (without the @ sign); for example, mytest.com. It isn't necessary to escape any characters (which is required when using a regular expression).
- User attributes specify an attribute name, a type of comparison, and a value to match. Note that if you choose Regex for the type of comparison, you must enter a valid regular expression for the value. For example, (Human Resources|Engineering|Marketing) for the Department attribute in your Okta user schema.
THEN Use this identity provider Select Dynamically match to an IdP. Match IdP name to Select the default string or enter your own custom expression. The default
String.substringAfter(user.login,"@")automatically maps to the domain name in a user's email address (everything after the @ sign).
- Click Create Rule, and then indicate whether you want to activate the rule immediately.
Test a dynamic rule
Your new rule is automatically sorted after other routing rules (but before the default catch-all rule). If your new dynamic routing rule replaces one or more standard rules, test it by disabling those standard rules and signing in with a valid username. Don’t delete any rules until you verify that the dynamic rule works.