<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Configure Custom Authenticator for Client Initiated Backchannel Authentication (CIBA) in Okta
Apr 27, 2026
API Access Management
Okta Identity Engine
Overview

Client Initiated Backchannel Authentication (CIBA) requires a "Consumption Device" (typically a mobile app) to approve login requests initiated by an "Instruction Device." To facilitate this, an administrator must configure a Custom Authenticator in Okta. This authenticator uses the Okta Devices SDK to send out-of-band push notifications to the user for authorization.

Applies To
  • Okta Identity Engine (OIE)
  • Client Initiated Backchannel Authentication (CIBA)
  • Okta Devices SDK
  • Custom Authenticator Apps
Cause

To enable in mobile branded notifications to authenticate the user, a custom Authenticator must be defined to link the OIDC Web Application to the specific notification service (APNs or FCM) used by the customer's proprietary mobile application.

Solution

To configure the Custom Authenticator for CIBA, follow the steps for each of the four parts mentioned below:

 

Part 1: Set up Notification Services

  1. In the Okta Admin Console, go to Security > Device Integrations.
  2. Click Notification Services.
  3. Click Add Notification Service and select FCM (Android) or APNs (iOS).
  4. Enter the required credentials (for example, Service Account JSON for FCM or .p8 Token Signing Key for APNs).
  5. Click Add.

 

Part 2: Create the Custom Authenticator

  1. Navigate to Security > Authenticators.
  2. On the Setup tab, click Add Authenticator.
  3. Locate the Custom Authenticator tile and click Add.
  4. Define the Authenticator name (for example, "Company Secure Push").
  5. Under Add to existing application, select the Native App integration that represents the mobile app.
  6. Select the Notification Service from the dropdown.
  7. Click Add.

 

Part 3: Link Authenticator to the CIBA Web App

  1. Navigate to Applications > Applications and select the Web Application.
  2. On the General tab, click Edit in the Client Protocol section.
  3. Ensure Client Initiated Backchannel Authentication is selected under Allowed grant types.
  4. In the Preferred authenticator for CIBA dropdown, select the Custom Authenticator created in Part 2.
  5. Click Save.

 

Part 4: Enable Enrollment

  1. Go to Security > Authenticators and select the Enrollment tab.
  2. Edit the relevant enrollment policy.
  3. Set the new Custom Authenticator to Optional.
  4. Click Update Policy.

Related References

Recommended content

Still looking for help?
Loading
Configure Custom Authenticator for Client Initiated Backchannel Authentication (CIBA) in Okta