Configure the IdP authenticator
The Identity Provider (IdP) authenticator is a possession factor and verifies user presence. You can configure multiple SAML 2.0 or OIDC IdPs of your choice as authenticators.
End users see an option to use the IdP when signing in to Okta. They complete extra verification in the IdP, and then they're redirected to Okta.
To use the IdP authenticator, the sign-in flow must take place in a browser. Sign-in flows that happen outside the browser aren’t supported. This includes sign-in flows that use Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), and Remote Authentication Dial-In User Service (RADIUS). Microsoft Azure Active Directory (AAD) can’t be used as an IdP authenticator.
Before you begin
- Add the SAML 2.0 or OIDC IdP that you want to use as the authenticator. See Identity Providers.
- Set IdP Usage to Factor only.
- Clear JIT settings. They aren’t supported.
- Configure Universal Directory mappings.
- For a SAML 2.0 IdP, map the subjectNameId claim to Okta username login.
- For an OIDC IdP, map the preferred_username claim to Okta username login.
- Set the IdP to Active.
- In the Admin Console, go to .
On the Setup tab, click Add Authenticator.
- Click Add on the IdP Authenticator tile.
- Select the Identity Provider from the menu.
- Click Add. The authenticator appears in the list on the Setup tab.
- To add another IdP authenticator, repeat these steps.
Add IdP to authenticator enrollment policy
In Authenticators, go to the Enrollment tab to add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.
Edit, deactivate, or delete the IdP authenticator
Before you edit, deactivate, or delete the IdP authenticator, you may have to update existing policies that use this authenticator.
To edit or deactivate the IdP authenticator, go to . Open the Actions dropdown beside the authenticator and select Edit or Deactivate.
Deactivating an IdP authenticator doesn’t delete it. To delete the IdP authenticator follow these steps:
- Deactivate the IdP authenticator.
- Go to IdP. and delete the corresponding
After the IdP is deleted, it automatically disappears from the authenticators list.
End users are prompted to enroll in the IdP authenticator authentication the next time they sign in. After the end user enrolls the IdP authenticator, it appears in their End-User Dashboard in . The IdP authenticator prompt times out after five minutes of inactivity. The user must then request a new prompt.