Create an Identity Provider in Okta

To connect your org to the Identity Provider, add and configure that Identity Provider in Okta.

1. From the Developer Console, hover over Users and then select Social & Identity Providers from the menu that appears. If you are using the Admin Console (Classic UI), hover over Security and then select Identity Providers.

Note: See the Identity Providers API for request and response examples of creating an Identity Provider in Okta using the API.

2. Select Add Identity Provider and then select the appropriate Identity Provider.

3. In the Add an Identity Provider dialog box, define the following:

   • Apple
   • Azure AD
   • Facebook
   • Google
   • LinkedIn
   • Microsoft
   • Okta-to-Okta
   • OpenID Connect
   • SAML 2.0

   In the General Settings section:

   • Name — Enter a name for the Identity Provider configuration.

   • Client Id — Paste the client ID that you obtained from the Okta org that represents the Identity Provider in the previous section.

   • Client Secret — Paste the secret that you obtained in the previous section.

   • Scopes — Leave the defaults. These scopes are included when your Okta org makes a request to the other Okta org that represents the Identity Provider.

     By default, Okta requires the email attribute for a user. The email scope is required to create and link the user to Okta's Universal Directory.

   In the Endpoints section:

   Add the following endpoint URLs for the Okta Identity Provider that you are configuring. In the Okta org that represents the Identity Provider, you can find the endpoints in the well-known configuration document (for example, https://{theOktaIdPOrg}/.well-known/openid-configuration.

   • Issuer — The identifier of the Okta Identity Provider. For example, the Okta org where you created the Identity Provider app: https://
   • Authorization endpoint — The URL of the Okta Identity Provider's OAuth 2.0 authorization endpoint. For example: https://{theOktaIdPOrg}/oauth2/v1/authorize
   • Token endpoint — The URL of the Okta Identity Provider's token endpoint for obtaining access and ID tokens. For example: https://{theOktaIdPOrg}/oauth2/v1/token
   • JWKS endpoint — The URL of the Okta Identity Provider's JSON Web Key Set document. This document contains signing keys that are used to validate the signatures from the provider. For example: https://{theOktaIdPOrg}/oauth2/v1/keys
   • Userinfo endpoint — The endpoint for getting identity information about the user. For example: https://{theOktaIdPOrg}/oauth2/v1/userinfo

4. Click Add Identity Provider. The Identity Providers page appears.

5. Locate the Identity Provider that you just added and click the arrow next to the Identity Provider name to expand.

   • Apple
   • Azure AD
   • Facebook
   • Google
   • LinkedIn
   • Microsoft
   • Okta-to-Okta
   • OpenID Connect
   • SAML 2.0

   Copy both the Authorize URL and the Redirect URI. Paste into a text editor for use in upcoming steps.

Attribute Mapping

When a user first signs in to Okta using an OpenID Connect Identity Provider, their Identity Provider user profile is mapped to an Okta Universal Directory profile using Just-In-Time provisioning. This user account creation and linking includes default mappings that are based on standard claims defined by the OpenID Connect specification.

To view and modify the mappings, access the Identity Provider that you created by selecting Social & Identity Providers from the Users menu. Click Configure for the Identity Provider and select Edit Mappings.

If there are attributes that don't exist in your org's Universal Directory, but are a part of the user's Identity Provider profile, add the attributes by editing the Identity Provider user profile in your org.

See Manage User Profiles for more information on custom attributes.

Next: Register an App in Okta