1. Docs
  2. Reference
  3. Show Contents

On This Page

Social Identity Provider settings

When you are setting up your social Identity Provider (IdP) in Okta, there are a number of settings that allow you to finely control the social sign-in behavior. While the provider-specific instructions show one possible configuration, this section explains each of these in more detail so that you can choose the right configuration for your use case.

Authentication settings

IdP Username: The expression (written in the Okta Expression Language) that is used to convert an IdP attribute to the Application User's username. This IdP username is used for matching an Application User to an Okta User through the oidc_idp profile.

You can enter an expression to reformat the value, if desired. For example, if the social username is john.doe@mycompany.com, you could specify the replacement of mycompany with endpointA.mycompany to make the transformed username john.doe@endpointA.mycompany.com. See Okta Expression Language.

Match against — The Okta user property against which the IdP username is compared to determine if an account link needs to be established. If an existing account link is found, no comparison is performed.

Note: See Account Linking for more information on how account linking works.

Account Link Policy — Determines whether your Application User should be linked to an Okta user.

  • Automatic — Link user accounts automatically according to the Auto-Link Restrictions and Match against settings.
  • Disabled — Don't link existing User accounts. Unless the User is already linked, when the user signs in, the sign-in request fails.

Auto-Link Restrictions — Allows you to restrict auto-linking to members of specified groups.

Provisioning Policy — Determines whether just-in-time provisioning of users should be automatic or disabled.

JIT settings

Profile Master — If selected, the social Identity Provider is the source of truth for a user's profile attributes. This means that the next time the user signs in using the social Identity Provider, Okta updates the user profile attributes for this user. If a user is assigned multiple applications with profile mastering enabled, a prioritization in Directory > Profile Masters decides whether this provider is the profile master for the user's attributes. See Attribute-level mastering.

Group Assignments — Allows you to assign new users to one or more existing Groups. For example, new Facebook users could be added to a "Facebook" Group.

Error codes

See the OpenID Connect and Okta Social Authentication section of the Error codes API documentation.