Add an identity verification vendor as an identity provider

You can configure an identity verification (IDV) vendor as an identity provider (IdP) in Okta. This enables you to request an identity verification to ensure that the right user is onboarding or resetting their account.

Identity verification helps ensure that the person presenting the information is the rightful owner of that identity. This process can involve various methods, like device intelligence, knowledge-based authentication (KBA) questions, biometric verification, and multifactor authentication (MFA). The IDV vendor checks a user's government-issued identity document and prompts them to take a selfie to satisfy a liveness check.

Identity verification adds an extra layer of phishing-resistance in your org.

Before you begin

• You can't use an IDV vendor IdP for routing rules.
• Add your Okta org URLs to the IDV vendor's allowlist:
  • Use this URL format (including the callback path) if you use the Incode or CLEAR Verified IDV vendor:

    https://org-name.okta.com/idp/identity-verification/callback

  • Use this URL format if you use the Persona IDV vendor:

    org-name.okta.com

• If the IDV vendor rejects the request from Okta, check the vendor's event log for troubleshooting information.

Supported IDV vendors

Okta supports adding these IDV vendors as IdPs:

• Persona: Okta integration overview

• CLEAR Verified: Getting Started
• Incode: Developer Hub

Start this task

1. In the Admin Console, go to SecurityIdentity Providers.

2. Click Add identity provider.
3. Select the IDV vendor, and then click Next. The Configure <IDV vendor name> identity verification page appears.
4. On the page, enter the details of the IDV vendor. Each IDV vendor uses different field names. See your IDV vendor's dashboard to find the name for each field.
5. Optional. Set up fuzzy matching in the IDV vendor. See your IDV vendor's documentation. Okta passes the First Name and Last Name profile attributes from Universal Directory to the IDV vendor.
6. Click Finish. The IDV vendor appears in the list on the Identity Providers page.

To update the IDV vendor IdP, go to Identity ProvidersActionsConfigure Identity Provider.

To deactivate the IDV vendor IdP, go to Identity ProvidersActiveDeactivate. You can delete the IdP after deactivating it.

Map profile attributes from Okta to the IDV vendor IdP

Okta lets you map profile attributes from Okta to the identity verification (IDV) vendor. Mappings flow one way from Okta to the IDV vendor. Mapping helps the IDV vendor process the user's identity correctly. You can start this procedure from the Identity Providers page, or from the Profile Editor page.

Start from the Identity Providers page

1. In the Admin Console, go to SecurityIdentity Providers.

2. Click Actions for the IDV vendor you want to map profile attributes with.
3. Select Edit profile and mappings. The Profile Editor page appears.
4. Click Mappings. If more than one user type is available, select one from the dropdown menu. The IDV vendor User Profile Mappings page appears.
5. Continue with the Map the attributes from Okta to the IDV vendor procedure.

Start from the Profile Editor

1. In the Admin Console, go to DirectoryProfile Editor.

2. Click Mappings for the IDV vendor profile you want to map attributes for. If more than one user type is available, select the user type from the dropdown menu. The IDV vendor User Profile Mappings page appears.
3. Continue with the Map the attributes from Okta to the IDV vendor procedure.

Map the attributes from Okta to the IDV vendor

Early Access release. See Enable self-service features.

At minimum, map the user's first name and last name attributes. This helps the IDV vendor process the request more accurately. Map more attributes as required.

1. Find the name of the IDV vendor's attribute in the right column.
2. In the Okta column on the left, click the triangle beside the corresponding IDV vendor's attribute.
3. Select the Okta attribute that you want to map to the IDV vendor attribute from the list. You can also use Okta Expression Language to generate the attribute name. For example, if the IDV vendor calls the first name given_name, you could map an Okta attribute like user.firstName or user.legalName to it.

   Some IDV vendors process all address attributes as a single component. Map all of these attributes to avoid failures when verifying addresses:

   • streetAddress
   • locality
   • region
   • postalCode
   • countryCode

   Consult your IDV vendor documentation for details about how they process addresses.

4. Repeat these steps for each attribute that you want to map.
5. Click Save mappings. Or, to preview the change, enter a user's name in the field beside Preview and then click Preview. Okta displays the first and last name of the user in the IDV vendor column.
6. Click Exit preview.
7. Click Apply updates. Okta displays the attributes in the Attributes list.
8. To require an attribute to be sent in the claim to IDV vendors, select the i icon for an attribute.
9. Select Yes for the Attribute required option.
10. Click Save Attribute.

Related topics

Identity Providers

Identity Verification providers in the Okta Integration Network (OIN)

Workflows: Perform identity proofing with a third-party service