Identity Provider Discovery

When configured, Identity Provider Discovery redirects users to different identity providers based on specified criteria. These criteria include location, device, the appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. or app instance being accessed, the user's domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https)., and specific user attributes. For organizations that have more than one Okta orgThe Okta container that represents a real-world organization., the separate orgs can use separate identity providers and keep groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. of users separate.

Note: Identity Provider Discovery is designed to improve usability and to enhance the end-user experience. It does not provide additional security enhancements.

Limitation: Identity Provider Discovery on ChromeBooks only supports the Okta Identity Provider and third-party Identity Providers that have announced support for ChromeBook.

End-user experience

When Identity Provider Discovery is configured to select a provider based on the end user's domain or attributes, the end-user sees a modified sign-in screen that accepts the email, and short names, as shown below.

The sign in is evaluated against the set criteria and the user is redirected to the appropriate sign-in screen for the desired identity provider.


Identity Provider Discovery is useful in the following scenarios:


Before using this feature, you must have an additional identity provider configured. For information on configuring an additional SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. identity provider, see Configure Inbound SAML. Identity Provider Discovery does not support Social Identity Providers.


To configure Identity Provider Routing Rules (IdPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. Discovery), navigate to Security > Identity Providers, and then click the Routing Rules tab. The default rule specifies Okta as the default identity provider. To add an additional provider, click Add Routing Rule. The screen shown below opens.

  1. Enter a Rule Name.
  2. Indicate your routing specifications.
    • User's IP is: To specify a zone, at least one network zone must already be defined. For information on zones, see IP Zones.
    • User's device platform is: Select any combination of mobile and desktop devices.
    • User is accessing: To add an application or app instance, start typing the application name. A list of all matching apps appears.
  3. From the User matchesdrop-down menu, select which login attributes the user must match:
    • Anything includes all users.
    • Regex on login allows you to enter any valid regular expression based on the user login to use for matching. This is useful when specifying the domain or a user attribute is not sufficient for matching.
    • Domain list on login specifies a list of the domains to match; for example, You can add multiple domains. Note that it is not necessary to escape any characters (which is required when using a regular expression), and you should not add the @ sign to the domain name.
    • User attribute specifies an attribute name, a type of comparison, and a value to match. Note that if you choose Regex for the type of comparison, you must enter a valid regular expression for the value.
  4. In Use this identity provider, select the identity provider to use when all the criteria are met.
  5. Click Create Rule, and then indicate whether you want to activate it immediately.

Maintaining Routing Rules

The Routing Rules screen shows all active and inactive rules.


To activate, deactivate, edit, or delete a rule, click the rule name, and then click an action button on the right. You cannot modify the default rule.