<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Enforce Single Sign On Users to Select an Identity Provider
Oct 7, 2025
API Access Management
Overview

The purpose of this article is to enforce some single sign-on users to log in through Identity Providers (IdPs) using routing rules.

Applies To
  • Identity Providers (IdPs)
  • Single Sign On (SSO)
  • Routing rules
Cause

Prevent some users from SSO and allow them to only log in through IdPs after entering their username. 

  • For example, if Google and Yahoo IdP should be used for specific users with the example.com domain:
    •  When the user enters the username and then clicks next:

login page

    •  They should be routed to use one of the two IdPs:

IdP options

 

Solution

To enforce example.com users to sign in through IdPs even if they use SSO, configure the Google IdP routing rule in the Dashboard in Security > Identity Providers > Routing Rules to be like the following:

Google Routing Rules

Configure the Yahoo IdP routing rule in the Dashboard in Security > Identity Providers > Routing Rules to be like the following:

Yahoo Routing Rules

 

 

Recommended content

Still looking for help?
Loading
Enforce Single Sign On Users to Select an Identity Provider