Okta Walkthrough

The following page demonstrate how to set up Okta to fully leverage authID's biometric authentication platform.

This page assume users are using the Okta Identity Engine and you have features such as Custom IdP Factor authentication enabled.

Authentication Scenarios

Below are a few common scenarios users may be trying to solve for with the authID platform. Each section includes links to other parts of the page to help create a solution that best suits user needs.

Protect All Critical Areas of Okta

Protect User Logins

Protect instance features and account/device recovery

  • Recommended Approach: Biometric/Passkey Multi-factor Authentication

  • Used When: User required certain functions to be protected with biometric controls, or user required to increase security around account and device management

  • Benefits,

    • Granular application of authentication factors
    • Secure account/device recovery and management
  • How to implement,

Video Walkthroughs

Add New Identity Provider

The following video demonstrates how to add the authID integration user created earlier to Okta.

[Image alt text](https://player.vimeo.com/video/790223827?h=3b7bc50022

Configure Policies

The following video demonstrates how you can use the new identity provider in common authentication scenarios.

[Image alt text](https://player.vimeo.com/video/790223675?h=161f64774f

Setup Steps

These steps are not ordered and can be used as needed by user solution.

Add Identity Provider in SSO Only mode

Follow below steps to add an identity provider to use in conjunction with a routing rule to protect user logins.

  1. Navigate to the Security > Identity Providers section of user dashboard and click the labeled Add Identity Provider.
The San Juan Mountains are beautiful!
  1. Select the tile marked OpenID Connect.
The San Juan Mountains are beautiful!
  1. Specify a Name for the connection. Ensure that the IdP Usage field is set to SSO only. Next, use the saved values from your AuthID integration to fill out the Client ID and the Client Secret fields.
The San Juan Mountains are beautiful!
  1. Fill out the Endpoints section with the following values from the AuthID OIDC server:
    • Issuer:
<https://id.authid.ai/oidc/web>

Authorization Endpoint:

<https://id.authid.ai/oidc/web/connect/authorize>

Token Endpoint:

<https://id.authid.ai/oidc/web/connect/token>

JWKS Endpoint:

<https://id.authid.ai/oidc/web/.well-known/jwks>

Userinfo Endpoint:

<https://id.authid.ai/oidc/web/connect/userinfo>
  1. Finally, specify user preferred Authentication Settings and then JIT settings if applicable. Save to create the Identity Provider.
The San Juan Mountains are beautiful!

CAUTION
Once the identity provider has been created, you must ensure that at least one value from the Login redirect Urls parameter for your authID integration matches the Redirect URI. This value can be found by clicking on the identity provider in the list:

The San Juan Mountains are beautiful!

Add Identity Provider in Factor Only mode

Follow the sections to create an integration in authID, and then use the same directions to create an identity provider in SSO only mode but be sure to edit the settings of the new IdP so that it is set to Factor only for the IdP Usage, as seen in the screenshot below:

The San Juan Mountains are beautiful!

Add Routing Rule

Routing rules are used to direct users to the preferred identity provider based on their conformance to the conditions user set forth. In this way, we can make a determination to send a subset of the user population through the OIDC identity provider we have created.

To begin,

  1. Navigate to the Security > Identity Providers section of user dashboard.
  2. Select Routing Rules tab.
  3. Click Add Routing Rule to open the modal for creating a rule.
The San Juan Mountains are beautiful!

User can configure the rule, ensure the last section labeled Use this identity provider points to the identity provider created earlier. For example, this rule route any users attempting to access the app integration user created previously with an @example.com email address to use the OIDC connection.

The San Juan Mountains are beautiful!

Add Custom IdP Authenticator

  1. Next, add the Custom IdP Authenticator by navigating to Security > Authenticators and click Add Authenticator.
The San Juan Mountains are beautiful!
  1. Select IdP Authenticator from the dialog.
The San Juan Mountains are beautiful!
  1. Choose the IdP you created earlier from the dropdown and click Add.
The San Juan Mountains are beautiful!
  1. User choose the authenticator from the list of available authenticators.

Testing Custom Authenticator

  1. When a user first click on the resource or feature protected by the authID custom IdP Authenticator, it prompt to enroll the authenticator to their account:
The San Juan Mountains are beautiful!
  1. Depending on user integration configuration, a user is prompted to enroll their selfie, passkey, or both. Below the user is being asked to enroll only their selfie:
The San Juan Mountains are beautiful!
  1. Once this is complete, the authentication must proceed and a user is allowed to continue the action it triggered the MFA challenge. When the user attempts the same action on subsequent occasions, it prompted by Okta to verify their identity using this authenticator:
The San Juan Mountains are beautiful!

Set Authenticator Enrollment Policy

It is recommended to present enrollment options to users for the new authenticator type, and user can craft policies on how and when this happens.

  1. Navigate to Security > Authenticators and click the Enrollment tab.
The San Juan Mountains are beautiful!
  1. User can either add a new policy or edit an existing one. In this example, user edit the Default Policy and enable the IdP Authenticator as an eligible authenticator.
  2. Select the policy from the left-side list and click the Edit.
The San Juan Mountains are beautiful!
  1. Find user authenticator, and select the behavior from the dropdown.
  2. Click Update Policy to save changes.
The San Juan Mountains are beautiful!
  1. User must add at least one rule to allow group members to enroll their authenticators.
  2. Click Add Rule below Eligible authenticators
The San Juan Mountains are beautiful!
  1. Accept the defaults settings and click Create Rule. It allow anyone in the applicable group to enroll their authenticators. User can later add rules to exclude users based on name, IP address, or other attributes.
The San Juan Mountains are beautiful!

Create Authentication Policy

Authentication policies are used to control when and where user configured authenticators are applied.

To edit or add policies,

  1. Navigate to Security > Authentication Policies.
  2. Click an existing policy to edit it, or click Add a policy to create a new one.
The San Juan Mountains are beautiful!
  1. After creating a policy or click on the existing one, user re-directed to the Rules tab. By default, every policy Catch-all Rule if no other rules apply. Again, user can either edit this rule or add a new one by click Add Rule:
The San Juan Mountains are beautiful!
  1. First, specify a name and the conditions upon which the rule get activate.
The San Juan Mountains are beautiful!
  1. For the outcome of a match, set the authenticate behavior to use anything except Password / IdP. Uncheck the box marked Exclude phone and email authenticators under the Possession factor constraints are section. User must see the IdP authenticator user configured earlier in the box below:
The San Juan Mountains are beautiful!
  1. Set the frequency for re-authentication to the appropriate value and click Save.
  2. Next, specify the applications rule applies to by navigating to the Applications tab of the policy details and click Add app:
The San Juan Mountains are beautiful!
  1. Select the applications user required to apply the authentication policy, and then close the dialog. User must see the apps listed on the page:
The San Juan Mountains are beautiful!