The Okta integration replaces traditional login with biometric authentication through the 1Kosmos mobile app, and supports bidirectional federation where either platform can act as the identity provider.
Integration type
Auth/IDP
Overview
1Kosmos is listed in the Okta Integration Network (OIN), Okta's catalog of pre-built application connectors. This integration configures 1Kosmos as the SAML 2.0 identity provider for Okta, allowing users to authenticate to their Okta account using 1Kosmos biometric passwordless authentication rather than a password.
What we solve
Okta tenants still face phishing and password-based account takeover risk when user access relies on credentials, even with MFA. This integration makes 1Kosmos the SAML identity provider for Okta, enabling biometric passwordless authentication so users can access Okta with stronger assurance and less reliance on passwords.
After a user's identity is verified through 1Kosmos and their biometric is enrolled, all subsequent Okta logins are completed through the 1Kosmos mobile app using Face ID, Touch ID, or liveness-checked facial biometrics.
The integration also supports a reverse configuration where Okta acts as the identity provider and 1Kosmos acts as the SAML service provider, enabling 1Kosmos-protected applications to federate authentication through an existing Okta deployment.
Prerequisites
Active 1Kosmos tenant: Administrator access to the 1Kosmos admin portal (AdminX). Contact 1kosmos.com/contact if your tenant is not yet provisioned.
Okta administrator access: Admin rights to the Okta Admin Console, including the ability to create app integrations and configure identity providers.
Okta API token: Required for the one-click integration path. Generated in the Okta Admin Console at Security → API → Tokens.
User directory alignment: Confirm that the email addresses in your 1Kosmos user directory match the usernames in Okta. Mismatches will prevent JIT (just-in-time) provisioning from working correctly.
Configuration values
Values to collect from 1Kosmos (IdP):
|
|
|
|
|
|
|
|
Values to collect from Okta (SP):
|
|
|
|
|
|
Integration steps
Configuration Steps
Sign in to your Okta instance as an administrator.
Navigate to Applications > Applications > Browser App Catalog.
On the Browse App Integration Catalog page, select the 1Kosmos application and click Add Integration.
On the General Settings: Required page, enter the application name, Entity ID, and ACS URL.
Copy the Entity ID and ACS URL from your 1Kosmos instance under the External IdP Config section and paste them into the corresponding fields under General settings: Required page of the Okta instance.
Note: When adding the ACS URL, it is recommended to remove the https:// prefix.
Click Done.
In your Okta instance, navigate to the Sign On tab and copy the Metadata URL.
In the 1Kosmos interface, paste the Metadata URL into the Enter Metadata URL field and click Import. The Core Configuration tab will auto-populate with the corresponding values.
Copy the Sign Out URL from the Okta instance and paste it into the SLO URL field in the 1Kosmos interface.
Click Save.
In the Routing Policies tab of the 1Kosmos instance, define the condition for users to exclude from the policy, enable the policy, and click Save.
Note: By default, this policy applies to everyone. However, you can exclude certain users from it. Enabling this policy is optional.
Setting Up SP-Initiated Single Sign-On
This section explains how to configure and perform SP-Initiated Single Sign-On (SSO), where the authentication flow is initiated from the Service Provider (SP) rather than the Identity Provider (IdP).
Note: This section applies only to SAML or OIDC integrations that support app-initiated Single Sign-On (SSO), also known as Service Provider (SP) initiated SSO.
The user sign-in flow starts from the 1Kosmos sign-in page. The user enters their username, and 1Kosmos sends the authentication request to Okta (the Identity Provider) to authenticate the user.
The sign-in process is initiated from your 1Kosmos tenant.
From your browser, navigate to the 1Kosmos tenant sign-in page.
Enter your username. You will be redirected to the Okta sign in page.
Enter your Okta credentials and optionally provide your MFA as per your organization’s policies. You will be redirected to 1Kosmos and be logged into the interface.
Step 1 — Add the integration in 1Kosmos Log in to the 1Kosmos AdminX portal. Navigate to Applications → Add Application. In the Add new applications screen, locate the Okta SAML option under Pre-built integrations and click Add integration.
Step 2 — Enter Okta admin credentials In the integration setup screen, enter your Okta admin domain URL (e.g., https://your-domain-admin.okta.com) and the Okta API token generated in the prerequisites step. These credentials are used one time to configure the integration automatically and are not stored by 1Kosmos. Revoke and regenerate the API token after setup is complete.
Step 3 — Configure SAML settings in Okta In the Okta Admin Console, navigate to Security → Identity Providers → Add Identity Provider → Add SAML 2.0 IdP. Enter the following values from your 1Kosmos tenant:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Step 4 — Configure routing rules In Okta, navigate to Security → Identity Providers → Routing Rules → Add Rule. Define the conditions under which authentication should be redirected to 1Kosmos (e.g., all users, specific groups, or attribute-based conditions). Set the identity provider to 1Kosmos. Activate the rule.
Step 5 — Import Okta metadata into 1Kosmos (optional) For the reverse configuration (Okta as IdP, 1Kosmos as SP), navigate to the 1Kosmos AdminX portal, open the Okta application configuration, and paste the Okta metadata URL into the Enter Metadata URL field. Click Import to auto-populate the core configuration fields including the SSO URL, entity ID, and signing certificate.
Step 6 — Test the integration In your browser, navigate to your Okta application domain URL. You will be redirected to the 1Kosmos sign-in page. Authenticate with a test user account to confirm the SAML assertion is generated correctly and the user is logged into Okta successfully. Test with a single user before activating routing rules for all users. Keep at least one admin account accessible at your-okta-domain/login/default as a fallback.
Attribute mappings
Source (1Kosmos) | Target (Okta) | Description |
|---|---|---|
|
| Primary user identifier |
|
| User first name |
|
| User last nameIntegration notes |
Integration Notes The one-click integration path uses the Okta API token to automate the initial configuration exchange. Because 1Kosmos does not store these credentials, generate a dedicated short-lived token for the setup step and revoke it immediately after.
For organizations using Okta Verify as a second factor today, the 1Kosmos integration replaces the Okta Verify prompt with a biometric push notification from the 1Kosmos mobile app — users do not need both apps active simultaneously once the routing rule is live.
