Configure Incode as SSO Provider with Okta IDP

You can configure Incode as a Single Sign-On (SSO) provider for your Okta-connected applications, enabling users to authenticate with Incode biometric verification as their primary login method across your app portfolio.

This configuration builds on the Okta IDP Integration and assumes the OIDC identity provider and authenticator are already set up.

Prerequisites

Ensure you have the following before you begin:

• Okta Authenticator (Preview/OIE) or Okta Authenticator (Classic) steps complete
• The Incode OIDC Identity Provider active in your Okta instance
• An Okta administrator account with permissions to manage Applications and Authentication Policies

Understand SSO with Okta IDP

When configured as an SSO provider, Incode acts as the IDP for application sign-on. Users who attempt to access an Okta-connected application are routed to an Incode verification session instead of or in addition to the standard Okta login page. On successful verification, Incode issues a signed token that Okta uses to authenticate the user into the application.

This is typically used in combination with a passwordless authentication policy, where the Incode biometric factor replaces the password entirely.

Set Up Incode as an SSO Provider

Assign the Incode IDP to Applications

1. Log in to your Okta Admin Console.
2. Go to Applications and open the application you want to protect with Incode SSO.
3. Click the Sign On tab.
4. In the Identity Provider settings, select the Incode OIDC IDP you configured during the authenticator setup.
5. Click Save.

Configure the Authentication Policy

1. Go to Security > Authentication Policies.
2. Select the policy assigned to the application or create a new one.
3. Add or edit a rule:
   • Assign the user group you want to use Incode SSO.
   • Set User must authenticate with to the Incode authenticator as the required factor.
   • You can set Password to Optional to enable a fully passwordless experience.
4. Click Save, then assign the policy to the application.

Test the SSO Flow

Test the SSO flow for the application with a user in the configured group. Confirm that the login flow routes through Incode verification and that the user is successfully authenticated into the application.