The Okta integration replaces traditional login with biometric authentication through the 1Kosmos mobile app, and supports bidirectional federation where either platform can act as the identity provider.
Integration type
Marketplace
Updated
Overview
1Kosmos is listed in the Okta Integration Network (OIN), Okta's catalog of pre-built application connectors. This integration configures 1Kosmos as the SAML 2.0 identity provider for Okta, allowing users to authenticate to their Okta account using 1Kosmos biometric passwordless authentication rather than a password.
What we solve
Okta tenants still face phishing and password-based account takeover risk when user access relies on credentials, even with MFA. This integration makes 1Kosmos the SAML identity provider for Okta, enabling biometric passwordless authentication so users can access Okta with stronger assurance and less reliance on passwords.
After a user's identity is verified through 1Kosmos and their biometric is enrolled, all subsequent Okta logins are completed through the 1Kosmos mobile app using Face ID, Touch ID, or liveness-checked facial biometrics.
The integration also supports a reverse configuration where Okta acts as the identity provider and 1Kosmos acts as the SAML service provider, enabling 1Kosmos-protected applications to federate authentication through an existing Okta deployment.
Prerequisites
Active 1Kosmos tenant: Administrator access to the 1Kosmos admin portal (AdminX). Contact 1kosmos.com/contact if your tenant is not yet provisioned.
Okta administrator access: Admin rights to the Okta Admin Console, including the ability to create app integrations and configure identity providers.
Okta API token: Required for the one-click integration path. Generated in the Okta Admin Console at Security → API → Tokens.
User directory alignment: Confirm that the email addresses in your 1Kosmos user directory match the usernames in Okta. Mismatches will prevent JIT (just-in-time) provisioning from working correctly.
Configuration values
Values to collect from 1Kosmos (IdP):
|
|
|
|
|
|
|
|
Values to collect from Okta (SP):
|
|
|
|
|
|
Integration steps
Step 1 — Add the integration in 1Kosmos Log in to the 1Kosmos AdminX portal. Navigate to Applications → Add Application. In the Add new applications screen, locate the Okta SAML option under Pre-built integrations and click Add integration.
Step 2 — Enter Okta admin credentials In the integration setup screen, enter your Okta admin domain URL (e.g., https://your-domain-admin.okta.com) and the Okta API token generated in the prerequisites step. These credentials are used one time to configure the integration automatically and are not stored by 1Kosmos. Revoke and regenerate the API token after setup is complete.
Step 3 — Configure SAML settings in Okta In the Okta Admin Console, navigate to Security → Identity Providers → Add Identity Provider → Add SAML 2.0 IdP. Enter the following values from your 1Kosmos tenant:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/ta
Step 4 — Configure routing rules In Okta, navigate to Security → Identity Providers → Routing Rules → Add Rule. Define the conditions under which authentication should be redirected to 1Kosmos (e.g., all users, specific groups, or attribute-based conditions). Set the identity provider to 1Kosmos. Activate the rule.
Step 5 — Import Okta metadata into 1Kosmos (optional) For the reverse configuration (Okta as IdP, 1Kosmos as SP), navigate to the 1Kosmos AdminX portal, open the Okta application configuration, and paste the Okta metadata URL into the Enter Metadata URL field. Click Import to auto-populate the core configuration fields including the SSO URL, entity ID, and signing certificate.
Step 6 — Test the integration In your browser, navigate to your Okta application domain URL. You will be redirected to the 1Kosmos sign-in page. Authenticate with a test user account to confirm the SAML assertion is generated correctly and the user is logged into Okta successfully. Test with a single user before activating routing rules for all users. Keep at least one admin account accessible at your-okta-domain/login/default as a fallback.
Attribute mappings
Source (1Kosmos) | Target (Okta) | Description |
|---|---|---|
|
| Primary user identifier |
|
| User first name |
|
| User last name |
Integration notes
The one-click integration path uses the Okta API token to automate the initial configuration exchange. Because 1Kosmos does not store these credentials, generate a dedicated short-lived token for the setup step and revoke it immediately after.
For organizations using Okta Verify as a second factor today, the 1Kosmos integration replaces the Okta Verify prompt with a biometric push notification from the 1Kosmos mobile app — users do not need both apps active simultaneously once the routing rule is live.
