Identity Provider Config
The OpenID Connect IdP configuration allows enrolled users to authenticate with Keyless to get access to their Okta portal or Okta enabled apps.
Last updated
The OpenID Connect IdP configuration allows enrolled users to authenticate with Keyless to get access to their Okta portal or Okta enabled apps.
Last updated
In your Admin dashboard, go to "Security" on the top menu and click "Identity Providers":
Click "Add Identity Provider" and select "Add OpenID Connect IdP"
Configure the following settings:
General Settings
Name
"Keyless"
Client ID
an ID of your choice, which will need to be provided to Keyless
Client Secret
an ID of your choice, which will need to be provided to Keyless
Scopes
email, openid, profile
Endpoints, supplied to you by Keyless.
Issuer
issuer
Authentication Endpoint
authorization_endpoint
Token Endpoint
token_endpoint
JWKS Endpoint
jwks-uri
User Info Endpoint
userinfo_endpoint
Advanced Settings
IdP Username
idpuser.externalId
Match Against
Okta Username
Account Link Policy
Automatic
Auto-Link Restrictions
None
If no match is found
Create New User (JIT)
Profile Source
check
Group Assignments
None
If you don’t want to assign through JIT (Just in Time) provisioning to a specific group, select the option “Redirect to sign-in page” under If no match found. This will block the use of the Keyless authentication as a profile master, letting Okta account system manage user’s subscription to the org.
Click Update Identity Provider. On the Identity providers page, expand its information view,and take note of the IdP ID
and Redirect URI
.
Provide Keyless with the following through a secure channel:
Client ID and Secret of Account Linking App.
Client ID and Secret of Identity Provider.
IdP number and redirect URI of the Identity Provider.
Under "Identity Providers" go to "Routing Rules" to configure which users and groups will have access to the Keyless Identity Provider and will use Keyless as their authentication method.
Make sure that the Keyless Account Linking application is configured to use the default Okta identity provider (as the first rule) so that users will be able to link their account properly.