The Okta BYO IDV integration embeds 1Kosmos identity verification into Okta account management policies, triggering biometric and document checks during high-risk actions like password recovery.
Integration type
Marketplace
Updated
Overview
1Kosmos integrates with Okta as a custom identity verification provider through Okta's Bring Your Own IDV capability. Administrators can trigger government ID and biometric verification during high-risk account actions like password recovery or authenticator enrollment. The integration uses OIDC with PAR, sending verification results back to Okta for policy evaluation without users leaving Okta.
What we solve
High-risk account actions—like password recovery and authenticator enrollment—are prime targets for social engineering, and standard IAM controls may not prove the user’s real-world identity. This Okta BYO IDV integration triggers 1Kosmos document and biometric verification inside Okta policies so organizations can require proof of identity at the moments that matter most.
This integration is separate from the standard Okta SSO integration. It does not replace authentication; it adds verified identity proofing as a policy-enforced step within Okta's account management layer. Organizations can configure multiple IDV vendors in parallel and route users to different vendors by group or region.
Prerequisites
Active 1Kosmos tenant with IDV enabled: Contact your 1Kosmos representative to confirm IDV is active and that an OIDC application has been created for the Okta BYO IDV integration.
Okta Identity Engine (OIE): BYO IDV requires Okta Identity Engine. Classic Engine does not support this feature.
Okta MFA or Adaptive MFA license: Required to configure identity verification in Account Management Policies.
Okta administrator access: Rights to manage Identity Providers and Account Management Policies in the Okta Admin Console.
Configuration values
Values to collect from 1Kosmos before configuring Okta:
Field | Where to find it |
|---|---|
Client ID | AdminX → Applications → [your OIDC app] → Client Credentials |
Client Secret | AdminX → Applications → [your OIDC app] → Client Credentials |
Issuer | AdminX → Settings → Authorization Server → Metadata URI → issuer field |
PAR Request URL | AdminX → Settings → Authorization Server → Metadata URI → pushed_authorization_request_endpoint |
Authorize URL | AdminX → Settings → Authorization Server → Metadata URI → authorization_endpoint |
Token URL | AdminX → Settings → Authorization Server → Metadata URI → token_endpoint |
JWKS URL | AdminX → Settings → Authorization Server → Metadata URI → jwks_uri |
Integration steps
Step 1: Create an OIDC application in AdminX for Okta BYO IDV
Log in to the AdminX portal and navigate to Applications → Add Application → OIDC → Add Integration.
Enter a name such as "Okta BYO IDV".
Set Grant Type to Authorization Code.
Set Signing Algorithm for ID Token to RS256.
Add Okta's redirect URI in the Sign-in Redirect URIs field. This value is available in the Okta Admin Console after adding the custom IDV provider (see Step 2). You may need to create the application first with a placeholder and update the redirect URI after.
Enable the
openid,profile, andidentity_assurancescopes.Click Create and copy the Client ID and Client Secret from the resulting credentials screen.
Step 2: Add 1Kosmos as a custom IDV provider in Okta
In the Okta Admin Console, navigate to Security → Identity Providers.
Click Add identity provider and select Custom ID verification. Click Next.
Enter a unique Instance name (e.g., "1Kosmos IDV").
Under End user sign-in experience, enter "1Kosmos" as the Vendor name.
Enter the Client ID and Client Secret collected from AdminX.
In the Endpoints section, enter the Issuer, PAR Request URL, Authorize URL, Token URL, and JWKS URL values collected from the 1Kosmos metadata URI.
Confirm the Scope field contains
openid,profile, andidentity_assurance.Click Finish. Copy the Redirect URI that Okta generates and add it to the 1Kosmos OIDC application's Sign-in Redirect URIs field in AdminX.
Step 3: Configure the Okta Account Management Policy
In the Okta Admin Console, navigate to Security → Identity Providers (or Policies, depending on your OIE version) and locate Account Management Policies.
Create or edit a policy rule for the user actions you want to protect (e.g., password recovery, authenticator enrollment, account unlock).
Add a condition requiring identity verification and select 1Kosmos as the IDV provider.
Assign the policy to the relevant user groups.
Save and activate the policy rule.
Step 4: Test the integration
Trigger a policy-covered action with a test user account (e.g., initiate a password reset from the Okta login screen).
Confirm the user is redirected from Okta to the 1Kosmos verification flow.
Complete the document scan and biometric selfie in the 1Kosmos flow.
Confirm the user is returned to Okta with a VERIFIED result and is able to complete the requested action.
Test a failure scenario to confirm the FAILED result correctly blocks the action in Okta.
Integration notes
The BYO IDV integration only covers Okta Account Management Policy actions (password recovery, authenticator enrollment, account unlock). It does not apply to standard App Sign-in policies; those require a separate Okta integration type.
Organizations requiring IDV for app sign-in should contact 1Kosmos to discuss the appropriate integration path. Okta passes the user's First Name and Last Name attributes from Universal Directory to 1Kosmos as part of the PAR request. Optional fuzzy matching can be configured if document names may not exactly match directory values.
