Okta Authenticator (Preview/OIE)

This guide walks through setting up Incode as an OIDC-based Authenticator within an Okta Identity Engine (OIE) environment. The result is an Incode biometric factor that can be required in Okta Enrollment and Authentication Policies, functioning as MFA for any applications you choose to protect.

If your organization uses Okta Classic, see Okta Authenticator (Classic) instead.

Prerequisites

Before you begin, ensure you have:

• Access to the Integrations page in the Incode Dashboard. Contact your Incode Representative if you do not see the Integrations page.
• Completed the Okta IDP Integration prerequisites
• An Okta Identity Engine (OIE) instance
• An Okta administrator account with permissions to manage Identity Providers, Authenticators, and Authentication Policies
• Access to the Incode Omni Dashboard with the Integrations Ecosystem feature enabled

Set Up Guide

Step 1: Create an OIDC Identity Provider in Okta

1. Log in to your Okta Admin Console.
2. Navigate to Security > Identity Providers > Add Identity Provider.
3. Select OpenID Connect IDP.
4. Add a name for the IDP and set the mode to Factor Only.
5. Ensure the following scopes are included: email, openid, profile.

Step 2: Create the Okta IDP Integration in Incode

1. Log in to Dashboard.
2. In the left navigation, click Integrations.
3. Click New Integration.
4. From the IAM tab, click Okta IDP, then click Continue.
5. Enter a Name for this integration. This name appears in analytics and identifies verifications completed through this integration.
6. Use the drop-down to Select a Workflow for this Integration.
7. Copy the following seven values to the corresponding fields in your Okta OIDC IDP configuration:
   • Client ID
   • Client Secret
   • Issuer URL
   • Authorize URL
   • Token URL
   • JWKS URL
   • Userinfo URL
8. In another tab or window, open Okta. Set the Authentication type to Client secret.
9. Save the IDP configuration in Okta.
10. Copy the Redirect URI generated by Okta after saving.
11. Back in the Dashboard, paste the Redirect URI from Okta into the Redirect URLS field in the integration configuration.
12. Review your settings and click Save.

Step 3: Create an Okta Authenticator Using the IDP

1. In the Okta Admin Console, navigate to Security > Authenticators > Add Authenticator.
2. Select IDP Authenticator from the list of available authenticator types.
3. Select the Incode IDP you created in Step 1.
4. Set the authenticator name to Incode and upload the Incode logo.
5. Save the authenticator. It is now available for use in enrollment and authentication policies.

📘

Note: Okta automatically adds new IDP authenticators as optional to the default policy. If this is not desired for your organization, disable this in the default policy after saving.

Step 4: Create an Enrollment Policy

Enrollment policies control which users are required to enroll with the Incode authenticator. Okta checks enrollment policy compliance at account creation and at every login.

1. In the Authenticators menu, navigate to the Enrollment tab and select Add a Policy.
2. Add a name and description.
3. Assign the Okta user group you want to require Incode verification for.
4. Set both Password and Incode as Required, along with any other MFA methods your organization uses.
5. Save the policy.

Step 5: Create an Authentication Policy

Authentication policies determine when the Incode authenticator is required during login.

1. Navigate to Security > Authentication Policies > Add a Policy.
2. Add a name and description.
3. Add a rule and configure it:
   • Assign the user group you created for Incode verification.
   • Set the authentication requirement to Password / IDP + Another Factor.
   • Select Allow specific authentication methods and add Incode and Password.
4. Save the rule.
5. Navigate to Applications and assign the applications this policy should apply to.

Step 6: Test

Incode recommends testing the login process for the selected applications to confirm the authentication policy works as expected before rolling it out to all users.