Okta Authenticator (Classic)

This guide covers setting up Incode as an OIDC-based authenticator in an Okta Classic environment. If your organization uses Okta Identity Engine (OIE), follow the Okta Authenticator (Preview/OIE) guide instead.

Prerequisites

Access to the Integrations page in the Incode Dashboard. Contact your Incode representative if you do not see the Integrations page.
Completed the Okta IDP integration prerequisites
An Okta Classic instance
An Okta administrator account with permissions to manage Identity Providers and Policies

Set up guide

Step 1: Create an OIDC Identity Provider in Okta

Log in to your Okta Admin Console.
Navigate to Security → Identity Providers → Add Identity Provider.
Select OpenID Connect.
Configure the IDP with a name and set the mode to Factor Only.
Ensure the following scopes are included: email, openid, profile.

Do not save yet — you will need values from the Incode Dashboard in Step 2 to complete this configuration.

Step 2: Create the Okta IDP integration in Incode

📘
Note
This step requires copying values between the Incode Dashboard and your Okta Admin Console. Keep both tabs open simultaneously before proceeding.

Log in to Dashboard.
In the left navigation, click Integrations.
Click New integration.
From the IAM tab, select Okta IDP, then click Continue.
Enter a Name for this integration. This name appears in analytics and identifies verifications completed through this integration.
Use the dropdown to Select a Workflow for this integration.
Copy the following seven values from the Incode Dashboard into the corresponding fields in your Okta OIDC IDP configuration:

Incode Dashboard field	Okta field
Client ID	Client ID
Client Secret	Client Secret
Issuer URL	Issuer
Authorize URL	Authorization endpoint
Token URL	Token endpoint
JWKS URL	JWKS endpoint
Userinfo URL	Userinfo endpoint

In Okta, set the Authentication type to Client secret.
Save the IDP configuration in Okta.
Copy the Redirect URI generated by Okta after saving.
Back in the Incode Dashboard, paste the Redirect URI into the Redirect URLs field in the integration configuration.
Click Save.

Step 3: Configure policies in Okta Classic

Okta Classic uses a different policy structure than OIE. Rather than separate enrollment and authentication policies, Classic uses per-application sign-on policies to enforce MFA requirements.

In the Okta Admin Console, navigate to Applications and open the application you want to protect with Incode verification.
Open the Sign On tab.
Under Sign On Policy, click Add Rule.
Configure the rule:
- Set the conditions to match the user group you want to require Incode verification for
- Under Access, set Multifactor Authentication to Required
- Ensure the Incode IDP factor is listed as an allowed factor
Save the rule.
Repeat for any additional applications you want to protect.

📘
Note
In Okta Classic, sign-on policies are configured per application, not globally. You must add an Incode rule to each application you want to protect. If you manage many applications, consider using Okta Identity Engine (OIE) for centralized policy management.

Step 4: Test

Sign in to one of the configured applications using a test user account in the enrolled group. The login flow should prompt for password followed by the Incode biometric verification step.

Confirm the following before rolling out to all users:

The Incode authenticator appears as an MFA option after password entry
The user is redirected to an Incode verification session and can complete it on their mobile device
After successful verification, the user is granted access to the application
Failed verification blocks access and does not allow the user to proceed

📘
If the Incode factor does not appear
Verify that the sign-on policy rule is applied to the correct user group and that the Incode IDP is listed as an allowed factor in the rule. Changes to Okta Classic policies take effect immediately but may require a fresh browser session to reflect for active users.

Next steps

Updated about 2 hours ago