Configure the IdP authenticator

The Identity Provider (IdP) authenticator is a possession factor and verifies user presence. You can configure multiple SAML 2.0 or OIDC IdPs of your choice as authenticators.

End users see an option to use the IdP when signing in to Okta. They complete extra verification in the IdP, and then they're redirected to Okta.

To use the IdP authenticator, the sign-in flow must take place in a browser. Sign-in flows that happen outside the browser aren’t supported. This includes sign-in flows that use Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), and Remote Authentication Dial-In User Service (RADIUS). Microsoft Azure Active Directory (AAD) can’t be used as an IdP authenticator.

Before you begin

  • Add the SAML 2.0 or OIDC IdP that you want to use as the authenticator. See Identity Providers.
    • Set IdP Usage to Factor only.
    • Clear JIT settings. They aren’t supported.
  • Configure Universal Directory mappings.
    • For a SAML 2.0 IdP, map the subjectNameId claim to Okta username login.
    • For an OIDC IdP, map the preferred_username claim to Okta username login.
  • Set the IdP to Active.

Add the IdP authenticator

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Add Authenticator.

  3. Click Add on the IdP Authenticator tile.
  4. Select the Identity Provider from the menu.
  5. Click Add. The authenticator appears in the list on the Setup tab.
  6. To add another IdP authenticator, repeat these steps.

Add IdP to authenticator enrollment policy

In Authenticators, go to the Enrollment tab to add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.

Edit, deactivate, or delete the IdP authenticator

Before you edit, deactivate, or delete the IdP authenticator, you may have to update existing policies that use this authenticator.

To edit or deactivate the IdP authenticator, go to Security Authenticators. Open the Actions dropdown beside the authenticator and select Edit or Deactivate.

Deactivating an IdP authenticator doesn’t delete it. To delete the IdP authenticator follow these steps:

  1. Deactivate the IdP authenticator.
  2. Go to Security Identity Providers and delete the corresponding IdP.

After the IdP is deleted, it automatically disappears from the authenticators list.

End-user experience

End users are prompted to enroll in the IdP authenticator authentication the next time they sign in. After the end user enrolls the IdP authenticator, it appears in their End-User Dashboard in Settings Security Methods. The IdP authenticator prompt times out after five minutes of inactivity. The user must then request a new prompt.

Related topics

Authentication