Okta Authenticator (Classic)
This page covers setting up Incode as an OIDC-based authenticator in an Okta Classic environment. If your organization uses Okta Identity Engine (OIE), follow the Okta Authenticator (Preview/OIE) steps instead.
Prerequisites
Ensure you have the following before you begin:
- Access to the Integrations page in Dashboard. Contact your Incode representative if you do not see it.
- Okta IDP integration prerequisites complete.
- An Okta Classic instance.
- An Okta administrator account with permissions to manage Identity Providers and Policies.
Set Up Okta IDP Integration for Classic
Create an OIDC Identity Provider in Okta
- Log in to your Okta Admin Console.
- Go to Security > Identity Providers > Add Identity Provider.
- Select OpenID Connect.
- Enter a name for the IDP and set the mode to Factor Only.
- Ensure the following scopes are included:
email,openid, andprofile.
Do not save yet. You will need values from Dashboard in the next set of steps to complete this configuration.
Create the Integration in Dashboard
TipThis requires copying values between Dashboard and your Okta Admin Console. Keep both tabs open.
- Log in to Dashboard.
- In the left menu, click Integrations.
- Click New Integration.
- From the IAM tab, select Okta IDP, then click Continue.
- Enter a Name for this integration. This name appears in analytics and identifies verifications completed through this integration.
- Select a Workflow for this integration from the drop-down.
- Copy the following values from Dashboard into the corresponding fields in your Okta OIDC IDP configuration:
| Dashboard field | Okta field |
|---|---|
| Client ID | Client ID |
| Client Secret | Client Secret |
| Issuer URL | Issuer |
| Authorize URL | Authorization endpoint |
| Token URL | Token endpoint |
| JWKS URL | JWKS endpoint |
| Userinfo URL | Userinfo endpoint |
- In Okta, set the Authentication type to Client secret.
- Click Save in Okta.
- Copy the Redirect URI generated by Okta after saving.
- In Dashboard, paste the Redirect URI into the Redirect URLs field in the integration configuration.
- Click Save.
Configure Policies in Okta Classic
Okta Classic uses a different policy structure than OIE. Rather than separate enrollment and authentication policies, Classic uses per-application sign-on policies to enforce MFA requirements.
- In the Okta Admin Console, go to Applications and open the application you want to protect with Incode verification.
- Open the Sign On tab.
- Under Sign On Policy, click Add Rule.
- Configure the rule:
- Set the conditions to match the user group you want to require Incode verification for.
- Under Access, set Multifactor Authentication to Required.
- Ensure the Incode IDP factor is listed as an allowed factor.
- Click Save.
- Repeat for any additional applications you want to protect.
NoteIn Okta Classic, sign-on policies are configured per application, not globally. You must add an Incode rule to each application you want to protect. If you manage many applications, consider using Okta Identity Engine (OIE) for centralized policy management.
Test the Integration
Sign in to one of the configured applications using a test user account in the enrolled group. The login flow should prompt for password followed by the Incode biometric verification step.
Confirm the following before rolling out to all users:
- The Incode authenticator appears as an MFA option after password entry.
- The user is redirected to an Incode verification session and can complete
it on their mobile device. - After successful verification, the user is granted access to the
application. - Failed verification blocks access and does not allow the user to proceed.
WarningIf the Incode factor does not appear, verify that the sign-on policy rule is applied to the correct user group
and that the Incode IDP is listed as an allowed factor in the rule. Changes to Okta Classic policies take effect immediately but may require a fresh browser session to reflect for active users.