Configure the IdP authenticator
Learn about using the IdP authenticator in Okta.
| Factor type | Possession |
| Method characteristics |
User presence |
| Description | You can configure a SAML or OIDC Identity Provider (IdP) of your choice as an MFA authenticator. End users are directed to this Identity Provider to authenticate. Once the verification is successful, they're redirected to Okta. |
After you configure an Identity Provider, you can enable it as an authenticator and add it to an authentication enrollment policy. End users see an option to use this IdP for extra verification when signing in to Okta. They're directed to the Identity Provider to authenticate and then redirected to Okta once verification is successful.
You can add an IdP authenticator for existing SAML or OIDC-based IdP authentication. You can also configure an existing SAML 2.0 or OIDC Identity Provider to use as an IdP authentication provider.
Before you begin
- Admin access to Okta is required.
- An existing Identity Provider must be available to use as the additional step-up authentication provider.
SAML and OIDC claims mapping
Okta expects the following claims for SAML and OIDC:
- For the SAML response, the subjectNameId claim is mapped to the Okta username.
- For the OIDC response, the preferred_username claim is mapped to the Okta username.
Configure an IdP authenticator
There are two stages to configure an IdP authenticator:
- Add an Identity Provider to Okta.
- Enable the IdP authenticator.
Add Identity Provider to Okta
-
In the Admin Console, go to .
- Click Add Identity Provider and select the Identity Provider you want to add.
- Click Next. The setup page for the Identity Provider appears.
- Each Identity Provider page includes a link to its setup instructions. Read these instructions to learn about how to configure the IdP.
- In the General Settings section, select the Factor only option from the IdP Usage dropdown. You can't use the SSO only option with the IdP authenticator.
- JIT settings aren't supported with the IdP authenticator.
Enable the IdP authenticator
After adding the Identity Provider, enable the IdP authenticator.
- In the Admin Console, go to .
- Click Add authenticator.
- Click Add on the IdP Authenticator tile.
- Select the Identity Provider from the menu.
- Click Save.
- Configure the settings for the IdP authenticator in the authenticator enrollment policy. See Create an authenticator enrollment policy for instructions.
Rename Duo Security custom IdP
If you have configured both Duo Security as an authenticator (factor) and a custom IdP authenticator that is named Duo Security, you may encounter an error when upgrading from Classic Engine to Identity Engine. To avoid this, you must rename the custom IdP factor before upgrading.
-
In the Admin Console, go to .
- Next to the Identity Provider you want to rename, click . The Edit IdP page opens.
- Go to General Settings and click Edit.
- Rename the Identity Provider. The new name should be different from Duo Security.
- Click Update Identity Provider.
End user experience
- End users are prompted to enroll in the IdP authenticator authentication the next time they sign in.
- After the end user has enrolled in the IdP authenticator, it appears on their Settings page in the Security Methods section.
- When an end user triggers the use of the IdP authenticator, it times out after five minutes of inactivity. After this time, they must trigger the use of the IdP authenticator again.
Limitations
The IdP authenticator isn't supported for use with the following:
- Okta Integrated Windows Authentication agent (IWA) for Desktop SSO.
- Device Trust integrations that use the Untrusted Allow with MFA configurations.
- MFA for RDP, ADFS, RADIUS logins, or other non-browser based sign-in flows don't support the IdP authenticator.
- Microsoft Azure Active Directory (AAD) as an Identity Provider. To use AAD as an IdP, see Make Azure Active Directory an Identity Provider.
- Third generation Sign-In Widget.