Okta Authenticator (Preview/OIE)

This page describes how to set up Incode as an OIDC-based Authenticator within an Okta Identity Engine (OIE) environment. The result is an Incode biometric factor that can be required in Okta Enrollment and Authentication Policies, functioning as MFA for any applications you choose to protect.

If your organization uses Okta Classic, use the separate steps for Okta Authenticator (Classic) instead.

Prerequisites

Ensure you have the following before you begin:

Access to the Integrations page in Dashboard. Contact your Incode Representative if you do not see it.
Okta IDP Integration prerequisites complete.
An Okta Identity Engine (OIE) instance.
An Okta administrator account with permissions to manage Identity Providers, Authenticators, and Authentication Policies.
Access to the Incode Omni Dashboard with the Integrations Ecosystem feature enabled.

Set Up Okta IDP Integration for Preview/OIE

Create an OIDC Identity Provider in Okta

Log in to your Okta Admin Console.
Go to Security > Identity Providers > Add Identity Provider.
Select OpenID Connect IDP.
Add a name for the IDP and set the mode to Factor Only.
Ensure the following scopes are included: email, openid, and profile.

Create the Integration in Dashboard

Log in to Dashboard.
In the left menu, click Integrations.
Click New Integration.
From the IAM tab, click Okta IDP, then click Continue.
Enter a Name for this integration. This name appears in analytics and identifies verifications completed through this integration.
Select a Workflow for this Integration from the drop-down.
Copy the following values to the corresponding fields in your Okta OIDC IDP configuration:
- Client ID
- Client Secret
- Issuer URL
- Authorize URL
- Token URL
- JWKS URL
- Userinfo URL
In another tab or window, open Okta. Set the Authentication type to Client secret.
Click Save in Okta.
Copy the Redirect URI generated by Okta after saving.
Back in Dashboard, paste the Redirect URI from Okta into the Redirect URLS field in the integration configuration.
Review your settings and click Save.

Create an Okta Authenticator

In the Okta Admin Console, go to Security > Authenticators > Add Authenticator.
Select IDP Authenticator from the list of available authenticator types.
Select the Incode IDP you created in the first set of steps.
Set the authenticator name to Incode and upload the Incode logo.
Click Save. The authenticator is now available for use in enrollment and authentication policies.

📘
Note
Okta automatically adds new IDP authenticators as optional to the default policy. If this is not desired for your organization, disable this in the default policy after saving.

Create an Enrollment Policy

Enrollment policies control which users are required to enroll with the Incode authenticator. Okta checks enrollment policy compliance at account creation and every login.

In the Authenticators menu, go to the Enrollment tab and select Add a Policy.
Enter a name and description.
Assign the Okta user group you want to require Incode verification for.
Set both Password and Incode as Required, along with any other MFA methods your organization uses.
Click Save.

Create an Authentication Policy

Authentication policies determine when the Incode authenticator is required during login.

Go to Security > Authentication Policies > Add a Policy.
Enter a name and description.
Add a rule and configure it:
- Assign the user group you created for Incode verification.
- Set the authentication requirement to Password / IDP + Another Factor.
- Select Allow specific authentication methods and add Incode and Password.
Click Save.
Go to Applications and assign the applications this policy should apply to.

Test the Integration

Incode recommends testing the login process for the selected applications to confirm the authentication policy works as expected before rolling it out to all users.