Identity Provider Discovery
This is an Early Access feature. To enable it, please contact Okta Support.
When configured, Identity Provider Discovery redirects users to different identity providers based on specified criteria. These criteria include location, device, the app or app instance being accessed, the user's domain, and specific user attributes. For organizations that have more than one Okta org, the separate orgs can use separate identity providers and keep groups of users separate.
When Identity Provider Discovery is configured to select a provider based on the end user's domain or attributes, the end-user sees a modified sign-in screen that only accepts the email, as shown below.
The sign in is evaluated against the set criteria and the user is redirected to the appropriate sign-in screen for the desired identity provider.
Identity Provider Discovery is useful in the following scenarios
Before using this feature, you must have an additional identity provider configured. For information on configuring an additional SAML identity provider, see Configure Inbound SAML. Identity Provider Discovery does not support Social Identity Providers.
To configure Identity Provider Discovery, navigate to Security > Identity Providers, and then, click the Routing Rules heading. The default rule is shown that specifies Okta as the default identity provider. To add an additional provider, click the Add Routing Rule button. The screen shown below opens.
You must name the rule. In addition to the name there are four types of routing specifications. Note that all specified conditions must be met to trigger the rule. After defining the conditions, you specify the identity provider to use.
When done, click Create Rule. After creating a rule, the following prompt applies to activate the rule.
Maintaining Routing Rules
The Routing Rules screen shows all rules, active and active.
To activate, edit, deactivate, or delete a rule, click the rule name, and then click an action button on the right. You cannot modify the default rule.