--- icon: key label: Okta Integration order: 100 --- # Okta Integration with VerifEye This guide walks you through setting up VerifEye as a generic OpenID Connect (OIDC) provider in Okta, enabling you to use VerifEye's biometric verification as an authentication factor in your Okta-managed applications. --- ## Prerequisites Before configuring Okta, ensure you have: - Admin access to your Okta organization - A VerifEye account and API key, and a verification configuration set up for OIDC integration (see below) - Understanding of the OpenID Connect flow --- ## Configuring the VerifEye Verification To integrate VerifEye with Okta, you need to create a VerifEye verification configuration that will be used as the OIDC provider. Follow these steps: You can create a new verification configuration in the [VerifEye Developer Console](https://verifeye-console.realeyes.ai/) under **Verification Configurations**. Make sure to note the configuration ID and API key, as you will need these for the Okta setup. ### 1. Basic Settings When creating the [verification configuration](/redirect/verification-configurations/), set the following basic settings: | Field | Value | |-------|--------| | **Name** | Okta OIDC Verification | | **Passed URL** | Set the OpenID Connect endpoints depending on your VerifEye region, for example for the EU region: `https://verifeye-oidc-eu.realeyes.ai/v1/openid/verify-result` | | **Failed URL** | Set the OpenID Connect endpoints depending on your VerifEye region, for example for the EU region: `https://verifeye-oidc-eu.realeyes.ai/v1/openid/verify-result` | ### 2. Verifier Configuration For the OIDC integration, you must configure the verification configuration to include the following settings: - Face Recognition - **Unique Match Verification**: one person can be only registered once in the system, if the same person tries to register again with a different identifier (email address), the verification will fail - **Match Verification**: one person can be registered multiple times in the system, if the same person tries to register again with a different identifier (email address), the verification will pass Additionally you can configure other settings such as liveness detection, age or gender verification. ### 3. Advanced Settings For the OIDC integration, you must also configure the following advanced settings: - **Include Signature**: enabled - **Include Verification Result**: enabled - **Include Custom Input Parameters**: enabled - **Force Signed Input**: enabled ## Adding VerifEye as Generic OIDC Provider ### 1. Create New Identity Provider 1. Navigate to **Security > Identity Providers** in your Okta Admin Console 2. Click **Add Identity Provider** 3. Select **Add OpenID Connect IdP** ### 2. Configure Provider Settings Configure the following basic settings: | Field | Value | |-------|--------| | **Name** | VerifEye OIDC | | **Client ID** | Your VerifEye verification configuration ID, e.g. if this is your verification URL https://verifeye-service-eu.realeyes.ai/verification/e4fc930b-d780-47e3-ae4c-0d5d2f22e54e then it can be found at the end **e4fc930b-d780-47e3-ae4c-0d5d2f22e54e** | | **Client Secret** | Your VerifEye API Key, which can be found in the VerifEye Console under **Settings > Account Information** | | **Scopes** | `openid email` | | **IdP Usage** | `Factor only` | ### 3. Configure the Endpoints Set the OpenID Connect endpoints depending on your VerifEye region, for example for the EU region: | Field | Value | |-------|--------| | **Issuer URL** | `https://verifeye-oidc-eu.realeyes.ai` | | **Authorization URL** | `https://verifeye-oidc-eu.realeyes.ai/v1/openid/authorize` | | **Token URL** | `https://verifeye-oidc-eu.realeyes.ai/v1/openid/token` | | **JWKS URL** | `https://verifeye-oidc-eu.realeyes.ai/v1/openid/jwks` | ![okta-idp.png](okta-idp.png) --- ## Required Additional Settings After creating the OIDC provider, you **must** configure additional authentication settings: #### 1. Set Up an IdP Authenticator - Create a new authenticator that uses the VerifEye OIDC provider #### 2. Create or Update your App sign-on Policies - Define your rules for when the VerifEye authentication should be triggered in your authentication policies --- ## Additional Resources For detailed configuration options and advanced settings, refer to the official Okta documentation: - [Okta OpenID Connect Identity Providers](https://help.okta.com/oie/en-us/content/topics/integrations/open-id-connect.htm) - [Configuring IdP Authenticators](https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-idp-authenticator.htm) - [Multifactor authentication ](https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/about-authenticators.htm) - [Authentication method chain](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/authentication-method-chain.htm) !!!warning Important Remember that configuring only the OIDC provider is not sufficient. You must also set up authenticators and authentication policies to ensure proper security and functionality. !!!