Okta | ID.me Developer

Overview

This guide provides steps to integrate Okta with ID.me using the SAML 2.0 protocol.

Intended audience
Developers and IAM administrators responsible for configuring federation between Okta and ID.me.

What you will build
A federated authentication flow where Okta delegates user authentication to ID.me.

Result
A federated SAML authentication flow where Okta delegates authentication to ID.me.

Identity proofing behavior
Authentication behavior, identity verification settings, and returned attributes are driven by ID.me policy configurations.

Authentication flow

The following steps outline the SAML authentication flow between the user, Okta, and ID.me:

The user attempts to access an Okta-protected application

Okta redirects the user to ID.me for authentication

The user completes authentication and identity verification at ID.me

ID.me redirects the user back to Okta with a signed SAML assertion

Okta validates the assertion and grants the user access

Prerequisites

An Okta Developer Account (sign up at https://developer.okta.com/signup/)
Administrator access to the Okta tenant
An ID.me sandbox account for testing your integration
Understanding of SAML flows and terminology

Environments

ID.me provides two environments:

Sandbox

https://api.idmelabs.com/

Production

https://api.id.me/

All ID.me OIDC and SAML endpoints are derived from the base URL above. For production, replace the sandbox base URL in every ID.me endpoint you configure.

Examples

OIDC issuer (Sandbox): https://api.idmelabs.com/oidc
OIDC issuer (Production): https://api.id.me/oidc
SAML metadata URL (Sandbox): https://api.idmelabs.com/saml/metadata
SAML metadata URL (Production): https://api.id.me/saml/metadata

Configure Okta

Create an Identity Provider

Navigate to Security > Identity Providers

Select Add Identity Provider

Select SAML 2.0 IdP and select Next

Configure the General Settings:

Name: ID.me IdP - SAML
IdP Usage: SSO (Single Sign-On)

Configure the User Matches:

IdP Username: idpuser.email
Match against: Okta Username or Email
Account Link Policy: Automatic

Configure the JIT Settings:

If no match is found: Create New User (JIT)
Profile Source: Update attributes for existing users

Configure the SAML Protocol Settings:

To obtain the ID.me Signing Certificate, download the metadata from https://api.idmelabs.com/saml/metadata/provider. Copy the X.509 certificate between the ds:X509Certificate tags. You may need to format it as a PEM file with standard headers using a tool like SAMLTool.

Field	Value
IdP Issuer URI	`api.idmelabs.com`
IdP Single Sign-On URL	`https://api.idmelabs.com/saml/SingleSignOnService?AuthnContext=http://idmanagement.gov/ns/assurance/ial/2/aal/2`
IdP Signature Certificate	Upload the formatted ID.me X.509 certificate
Request Binding	`HTTP Post`
Sign SAML Authentication Requests	Enabled (Checked)
Response & Request Signature Verification	`SHA-256`
Destination	`https://api.idmelabs.com/saml/SingleSignOnService?AuthnContext=http://idmanagement.gov/ns/assurance/ial/2/aal/2`

Screenshot of step 2 of the "Configure SAML 2.0 IdP" page in Okta, showing General Settings with the name "ID.me IdP - SAML," Authentication Settings configured to match on Okta Username or Email with auto-linking and JIT user creation enabled, and SAML Protocol Settings populated with ID.me's Issuer URI, Single Sign-On URL, DigiCert signature certificate, and SHA-256 signing settings.

Select Finish

Configure attribute mappings

Navigate to Directory > Profile Editor

Select Okta User (default)

Select + Add Attribute to add ID.me attributes to the Okta profile

Screenshot of the "Add Attribute" form in Okta, configured to add a custom string attribute named "idme_uuid" with no description, enum, or uniqueness restrictions, attribute length set to Between with no min/max values, and the attribute not marked as required.

Navigate back to Security > Identity Providers

Select Edit Profile and Mappings for your ID.me SAML configuration

Map the ID.me attributes (left side) to the Okta User attributes (right side) as required for your application

Select Save Mappings and Apply updates now

Configure ID.me

This portion of the configuration is completed by an ID.me Solution Consultant. You will need to provide the following information to complete the setup:

Okta Metadata

Provide the metadata file from your Okta Identity Provider configuration. You can download this by navigating to Security > Identity Providers, expanding the ID.me IdP - SAML actions, and selecting Download metadata.

Okta Audience URI

The Entity ID for your Okta tenant.

Assertion Consumer Service (ACS) URL

The URL where ID.me should send the SAML response.

Signing/Encryption Certificate

The X.509 certificate from your Okta metadata, used for verifying signatures and encrypting assertions.

Test the integration

Navigate to Security > Identity Providers > Routing Rules

Select Add Routing Rule

Enter a Name (e.g., ID.me IdP - Okta App Portal)

For Use this identity provider, select ID.me IdP - SAML

Select Create Rule and Activate

This configuration will require all users to sign in via ID.me when accessing your Okta tenant. You can configure rules to apply only to specific applications, groups, or users if preferred.

Open an incognito window and navigate to your Okta App Portal URL (e.g., https://dev-12345678.okta.com)

Verify you are redirected to ID.me

Verify you are redirected back to Okta and signed in successfully

Navigate to Directory > People in the Okta admin dashboard to confirm the user account was created or updated with the expected attributes