Okta Authenticator (Classic)

This guide covers setting up Incode as an OIDC-based authenticator in an
Okta Classic environment. If your organization uses Okta Identity Engine
(OIE), follow the
Okta Authenticator (Preview/OIE)
guide instead.

Prerequisites

Access to the Integrations page in the Incode Dashboard. Contact your
Incode representative if you do not see the Integrations page.
Completed the
Okta IDP integration
prerequisites
An Okta Classic instance
An Okta administrator account with permissions to manage Identity
Providers and Policies

Set up guide

Step 1: Create an OIDC Identity Provider in Okta

Log in to your Okta Admin Console.
Navigate to Security → Identity Providers → Add Identity
Provider.
Select OpenID Connect.
Configure the IDP with a name and set the mode to Factor Only.
Ensure the following scopes are included: email, openid, profile.

Do not save yet — you will need values from the Incode Dashboard in Step 2
to complete this configuration.

Step 2: Create the Okta IDP integration in Incode

📘
Note
This step requires copying values between the Incode Dashboard and your
Okta Admin Console. Keep both tabs open simultaneously before proceeding.

Log in to Dashboard.
In the left navigation, click Integrations.
Click New integration.
From the IAM tab, select Okta IDP, then click Continue.
Enter a Name for this integration. This name appears in analytics
and identifies verifications completed through this integration.
Use the dropdown to Select a Workflow for this integration.
Copy the following seven values from the Incode Dashboard into the
corresponding fields in your Okta OIDC IDP configuration:

Incode Dashboard field	Okta field
Client ID	Client ID
Client Secret	Client Secret
Issuer URL	Issuer
Authorize URL	Authorization endpoint
Token URL	Token endpoint
JWKS URL	JWKS endpoint
Userinfo URL	Userinfo endpoint

In Okta, set the Authentication type to Client secret.
Save the IDP configuration in Okta.
Copy the Redirect URI generated by Okta after saving.
Back in the Incode Dashboard, paste the Redirect URI into the
Redirect URLs field in the integration configuration.
Click Save.

Step 3: Configure policies in Okta Classic

Okta Classic uses a different policy structure than OIE. Rather than
separate enrollment and authentication policies, Classic uses per-application
sign-on policies to enforce MFA requirements.

In the Okta Admin Console, navigate to Applications and open the
application you want to protect with Incode verification.
Open the Sign On tab.
Under Sign On Policy, click Add Rule.
Configure the rule:
- Set the conditions to match the user group you want to require Incode
  verification for
- Under Access, set Multifactor Authentication to Required
- Ensure the Incode IDP factor is listed as an allowed factor
Save the rule.
Repeat for any additional applications you want to protect.

📘
Note
In Okta Classic, sign-on policies are configured per application, not
globally. You must add an Incode rule to each application you want to
protect. If you manage many applications, consider using Okta Identity
Engine (OIE) for centralized policy management.

Step 4: Test

Sign in to one of the configured applications using a test user account in
the enrolled group. The login flow should prompt for password followed by
the Incode biometric verification step.

Confirm the following before rolling out to all users:

The Incode authenticator appears as an MFA option after password entry
The user is redirected to an Incode verification session and can complete
it on their mobile device
After successful verification, the user is granted access to the
application
Failed verification blocks access and does not allow the user to proceed

📘
If the Incode factor does not appear
Verify that the sign-on policy rule is applied to the correct user group
and that the Incode IDP is listed as an allowed factor in the rule.
Changes to Okta Classic policies take effect immediately but may require
a fresh browser session to reflect for active users.

Next steps

Updated 20 days ago