Configure Incode as SSO Provider with Okta IDP

You can configure Incode as a Single Sign-On (SSO) provider for your Okta-connected applications, enabling users to authenticate with Incode biometric verification as their primary login method across your app portfolio.

This configuration builds on the Okta IDP Integration and assumes the OIDC Identity Provider and Authenticator are already set up.

Prerequisites

• You have completed the Okta Authenticator (Preview/OIE) or Okta Authenticator (Classic) guide
• The Incode OIDC Identity Provider is active in your Okta instance
• An Okta administrator account with permissions to manage Applications and Authentication Policies

How It Works

When configured as an SSO provider, Incode acts as the IdP for application sign-on. Users who attempt to access an Okta-connected application are routed to an Incode verification session instead of or in addition to the standard Okta login page. On successful verification, Incode issues a signed token that Okta uses to authenticate the user into the application.

This is typically used in combination with a passwordless authentication policy, where the Incode biometric factor replaces the password entirely.

Set Up Guide

Step 1: Assign the Incode IDP to Applications

1. Log in to your Okta Admin Console.
2. Navigate to Applications and open the application you want to protect with Incode SSO.
3. Go to the Sign On tab.
4. In the Identity Provider settings, select the Incode OIDC IDP you configured during the authenticator setup.
5. Save the application settings.

Step 2: Configure the Authentication Policy

1. Navigate to Security > Authentication Policies.
2. Select the policy assigned to the application, or create a new one.
3. Add or edit a rule:
   • Assign the user group you want to use Incode SSO.
   • Set User must authenticate with to the Incode authenticator as the required factor.
   • Optionally set Password to Optional to enable a fully passwordless experience.
4. Save the rule and assign it to the application.

Step 3: Test

Test the SSO flow for the application with a user in the configured group. Confirm that the login flow routes through Incode verification and that the user is successfully authenticated into the application.