Configure routing rules
The default routing rule specifies Okta as the identity provider. You can create a rule for each of your providers or for different combinations of user criteria. When an end user attempts to sign in, the active rules are evaluated. The first one that the user matches is applied.
- Before you begin
- Add a rule
- Configure a routing rule for macOS devices
- Maintain routing rules
- Related topics
Verify that you have already configured:
Okta IWA Web agent. See Configure Desktop SSO.
Observe the following:
Limitation: IdP Discovery on ChromeBooks only supports the Okta Identity Provider and third-party Identity Providers that have announced support for ChromeBook.
Known issue: Okta Mobile is not supported for use with Identity Provider Routing Rules.
- In the Admin Console, go to Security > Identity Providers.
- On the Routing Rules tab, click Add Routing Rule.
- Enter a Rule Name.
- Indicate your routing specifications.
- User's IP is: To specify a zone, at least one network zone must already be defined. For information on zones, see IP Zones.
- User's device platform is: Select any combination mobile and desktop devices. Note that iOS devices may bypass your iOS routing rules. See Configure a routing rule for macOS devices.
- User is accessing: To add an application or app instance, start typing the application name. A list of all matching apps appears.
- From the User matches menu, select which login attributes the user must match:
- Anything includes all users.
- Regex on login allows you to enter any valid regular expression based on the user login to use for matching. This is useful when specifying the domain or a user attribute is not sufficient for matching. For example, .*\+firstname.lastname@example.org matches logins for the domain @company.com but only if +devtest is included before the @ sign.
- Domain list on login specifies a list of the domains to match (without the @ sign); for example, mytest.com. It isn't necessary to escape any characters (which is required when using a regular expression).
- User attributes specify an attribute name, a type of comparison, and a value to match. Note that if you choose Regex for the type of comparison, you must enter a valid regular expression for the value. For example, (Human Resources|Engineering|Marketing) for the Department attribute in your Okta user schema.
In Use this identity provider, select the identity provider to use when all the criteria are met.
Click Create Rule, and then indicate whether you want to activate the rule immediately.
Due to a change in the way that Safari reports device user agents, Okta can't differentiate between app requests that come from macOS devices and those that come from Safari on iPadOS devices.
To prevent iPadOS devices from bypassing iOS policies, configure a Deny/Catch-All routing rule that applies to macOS and iPadOS devices. To prevent iPadOS device users from being affected by your macOS app routing rules, inform them that they must do one of the following:
- Option 1: All websites accessed from Safari (iPadOS 13 and higher). In iPad settings, go to Safari settings > Request Desktop Website and then turn off the All Websites setting.
- Option 2: Per-website basis. Open Safari, tap Aa on the left side of the search field, and then tap Request Mobile Website.
- Option 3. Access the target app through their Native App or Okta Mobile.
Active rules are evaluated in the order that they are shown on the Routing Rules page. The first active rule that the user matches is applied.
There is no limit to the number of rules you can add. However, routing performance is affected by the number of rules that must be evaluated before a match is found.
- To change the priority of rules, hover over the area to the left of a rule number. Drag it into the order you want.
- To activate, deactivate, edit, or delete a rule, click the rule name, and then click an action button on the right. You can't modify the default rule.