Configure the IdP authenticator

The Identity Provider (IdP) authenticator is a possession factor and verifies user presence. You can configure multiple SAML 2.0 or OIDC IdPs of your choice as authenticators.

End users see an option to use the IdP when signing in to Okta. They complete extra verification in the IdP, and then they're redirected to Okta.

To use the IdP authenticator, the sign-in flow must take place in a browser. Sign-in flows that happen outside the browser aren't supported. This includes sign-in flows that use Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), and Remote Authentication Dial-In User Service (RADIUS). Microsoft Azure Active Directory (AAD) can't be used as an IdP authenticator.

Before you begin

Add the SAML 2.0 or OIDC IdP that you want to use as the authenticator. See Identity Providers.
- Set IdP Usage to Factor only.
- Clear JIT settings. They aren't supported.
Configure Universal Directory mappings.
- For a SAML 2.0 IdP, map the subjectNameId claim to Okta username login.
- For an OIDC IdP, map the preferred_username claim to Okta username login.
Set the IdP to Active.

Add the IdP authenticator

In the Admin Console, go to SecurityAuthenticators.
On the Setup tab, click Add Authenticator.
Click Add on the IdP Authenticator tile.

Configure options for the authenticator

Configure the following options:

Field	Value
Identity Provider (IdP)	Select the SAML or OIDC IdP you want to use as an authenticator.
Authenticator name	Name for the authenticator. This appears to end users when they sign in. If the field is blank, the IdP name appears as the authenticator name.
Authenticator logo	Select the logo for the authenticator. The user sees this logo on the authentication pages. Browse files: Upload your logo. It must be an SVG file less than 1 MB. For better quality, use a square logo with a transparent background. Use default logo: Use the default logo.

Field

Value

Identity Provider (IdP)

Select the SAML or OIDC IdP you want to use as an authenticator.

Authenticator name

Name for the authenticator. This appears to end users when they sign in. If the field is blank, the IdP name appears as the authenticator name.

Authenticator logo

Select the logo for the authenticator. The user sees this logo on the authentication pages.

Browse files: Upload your logo. It must be an SVG file less than 1 MB. For better quality, use a square logo with a transparent background.

Use default logo: Use the default logo.

Click Add. The authenticator appears in the list on the Setup tab.

To see how the authenticator appears on the sign-in pages, sign in as an end user. To add another IdP authenticator, repeat the above steps.

Add IdP to authenticator enrollment policy

In Authenticators, go to the Enrollment tab to add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.

Edit, deactivate, or delete the IdP authenticator

Before you edit, deactivate, or delete the IdP authenticator, you may have to update existing policies that use this authenticator.

To edit or deactivate the IdP authenticator, go to Security Authenticators. Open the Actions dropdown beside the authenticator and select Edit or Deactivate.

Deactivating an IdP authenticator doesn't delete it. To delete the IdP authenticator follow these steps:

Deactivate the IdP authenticator.
Go to Security Identity Providers and delete the corresponding IdP.

After the IdP is deleted, it automatically disappears from the authenticators list.

End-user experience

End users are prompted to enroll in the IdP authenticator authentication the next time they sign in. After the end user enrolls the IdP authenticator, it appears in their End-User Dashboard in Settings Security Methods. The IdP authenticator prompt times out after five minutes of inactivity. The user must then request a new prompt.