Configure the IdP authenticator

The IdP authenticator allows admins to enable authentication with an OIDC or SAML identity provider (IdP) as extra verification. When configured, the end user sees the option to use the identity provider for extra verification and is redirected to that identity provider for verification. This verification replaces authentication with another non-password authenticator, such as Okta Verify.

Once an IdP authenticator has been enabled and added to an authentication enrollment policy, users may use it to verify their identity when they sign in to Okta. End users are directed to the identity provider in order to authenticate and are then redirected to Okta once verification is successful.

This authenticator allows you to:

  • Add an IdP authenticator for existing SAML or OIDC-based IdP authentication.
  • Link an existing SAML 2.0 IdP or OIDC IdP to use as the IdP authenticator provider.

Before you begin

  • Admin access to Okta is required to enroll and configure the IdP authenticator.
  • An existing identity provider must be available to use as the additional step-up authentication provider.

SAML and OIDC claims mapping

Okta expects the following claims for SAML and OIDC:

  • For the SAML response, the subjectNameId claim is mapped to the Okta username.
  • For the OIDC response, the preferred_username claim is mapped to the Okta username.

Configure an IdP authenticator

There are two stages to configure an IdP authenticator:

  1. Add an identity provider to Okta.
  2. Enable the IdP authenticator.

Step 1: Add identity providers to Okta

  1. In the Admin Console, go to Security > Identity Providers.

  2. Click Add identity provider and select the identity provider you want to add.
  3. Click Next. The identity provider's setup page appears.

  • Each identity provider page includes a link to the setup instructions for that identity provider; Okta recommends that you read these instructions to learn about how to configure your identity provider.
  • In the General Settings section on each identity provider's page, select the Factor only option from the IdP Usage dropdown; you can't use the SSO only option with the IdP authenticator.
  • JIT settings aren't supported with the IdP authenticator.

Step 2: Enable the IdP authenticator

You must add an identity provider as described in Step 1 before you can enable the IdP authenticator.

  1. In the Admin Console, go to Security > Authenticators.
  2. Click Add authenticator.
  3. Click Add on the IdP Authenticator tile.
  4. Select an identity provider from the menu. These are the identity providers you added in Step 1 of this procedure.
  5. Click Save.
  6. Configure the settings for the IdP authenticator in the authenticator enrollment policy. See Create an authentication enrollment policy for instructions.

End-user experience

  • End users are prompted to enroll in the IdP authenticator authentication the next time they sign in.
  • After the end user has enrolled in the IdP authenticator, it appears on their Settings page in the Security Methods section.
  • When an end user triggers the use of the IdP authenticator, it times out after five minutes of inactivity, after which they must trigger the use of the IdP authenticator again.

Limitations

The IdP authenticator isn't supported for use with the following:

  • This authenticator can't be used with the Okta Integrated Windows Authentication agent (IWA) for Desktop Single Sign-on.
  • Device Trust integrations that use the “Untrusted Allow with MFA” configuration will fail.
  • MFA for RDP, MFA for ADFS, RADIUS logins, or other non-browser based sign-in flows don't support the IdP authenticator.
  • The IdP authenticator doesn't support the use of Microsoft Azure Active Directory (AD) as an identity provider. To use Microsoft Azure AD as an identity provider, see Make Azure Active Directory an identity provider.

Related topics

Identity Providers

Sign-on policies and rules

Authentication

General Security

Network zones