Identity Provider routing rules
Identity Provider (IdP) routing rules enable you to direct end users to identity providers based on the user's location, device, email domain, attributes, or the app they are attempting to access.
You can create a rule for each of your providers or for different combinations of user criteria. When an end user attempts to sign in, the active rules are evaluated, and the first one that the user matches is applied.
IdP routing rules are useful in the following scenarios.
- On-network vs. off-network: You can maintain alternate or legacy authentication for off-network users and use Okta for on-network users.
- Mobile users: Mobile users, identified by device, can route authentication to a third-party identity provider with specific functionality.
- Hub-and-spoke organizations: These organizations may manage users, Active Directories, policies, apps, and workflows in one of the "spoke" organizations, but require access to the central organization for certain apps, such as Workday, for other reasons. Users can authenticate from an app using a service provider-initiated flow to the "hub" organization which uses routing rules to authenticate into the "spoke" organization seamlessly. (If you have more than one Okta org, you can use separate identity providers for each org to keep groups of users separate.)
- Desktop SSO: You can route desktop users to Integrated Windows Authentication (IWA) and mobile users to Okta for authentication.
- Multiple customer organizations: You can send users from multiple orgs to a different org for authentication, based on the email subdomain.
- Required discovery by user attribute: In some B2B scenarios where the email domain does not necessarily correlate to the identity provider, you can direct authentication based on user attributes.
When IdP routing rules are configured to select a provider based on the end user's domain or attributes, the end user sees a modified sign-in screen that accepts the email and short names. If you configured multiple providers for a rule, the end user sees a list of available IdPs. The sign-in is evaluated against the set criteria and the user is redirected to the appropriate sign-in screen for the desired identity provider.
If you configured multiple providers for a rule and the primary factor in your Global Session Policy is Password / IDP, the end user sees fields for their username and password and a list of available IdPs.
Routing rules improve the end-user sign-in experience, but they don't provide security enhancements. You need to configure user authentication policies for your IdPs independently of your routing rules.