Integrating multiple IAM systems is an essential strategy for organizations facing the complexities of hybrid IT, mergers, regulatory compliance, multi-cloud environments, and legacy-modern system integration. By creating a cohesive identity ecosystem across diverse IAM platforms, businesses can enhance security, reduce administrative overhead, and improve user experience while ensuring compliance and operational efficiency.
Learning objectives
In this tutorial, you will learn to setup a basic integration of Okta as an Identity Provider for IBM Security Verify Access.
Prerequisites
- IBM Security Verify Access Appliance with Reverse Proxy configured (Note: This tutorial is based on IBM Security Verify Access v10.0.8.0)
- Okta tenant (sign up for a free account)
Steps
Step 1: Create an OIDC Federation in Verify Access
- On the Verify Access management console, go to Federation>Federations.
- To add a new federation, click Add.
- Enter a name to identify the federation and select the OpenID Connect Relying Party protocol. Click Next.

- On the Basic Configuration tab, in the Point of Contact Server field, enter the hostname/IP configured for the reverse proxy in the below format along with the junction name.
https://<Reverse Proxy IP/Hostname>/junction-name
Note: This URL must be the one that clients will use to connect to the Relying Party Reverse Proxy.
The junction name given here is used to create a junction (if it doesn't already exist) when the Point of Contact configuration is performed.

- Select code as the Default Response Type and then click Next.
- Click Next till you reach the Summary page as we won’t be setting up the rest of the configuration on federation level.
- Click OK on the summary page to create the federation.
- A notification banner displays at the top of the console to review pending changes. Click Deploy to deploy the changes.


Step 2: Configure the reverse proxy as a point of contact for federation
You will now configure the reverse proxy instance running on the Verify Access appliance as a point of contact for the OIDC federation created.
- In the Verify Access management console, go to Web > Reverse Proxy.
- Select the pre-configured reverse proxy instance. On the Manage tab, click AAC and Federation Configuration > Federation Management.

- On the Federation Management page, click Add. A window named “Add Federation to Reverse Proxy – <Reverse Proxy Instance name>” is displayed. Keep the default selections.
- Click the Federation tab, select the OIDC federation that you created as part of first step, and then click Finish.
- Close the Federation Management window and deploy the changes by following the instructions on the banner notification at the top of the console.Note: A warning message displays prompting you to restart the reverse proxy.
- Click Restart.

Step 3: Create an App integration in Okta for ISVA
You will now integrate Access Manager OIDC Relying Party with Okta as an OIDC Provider.
- In the Okta admin console’s left menu, click Applications > Applications.
- On the Applications page, click Create App Integration, select OIDC – Open Connect as the Sign-in method and Web Application as the Application type.
- Click Next to continue with the configuration.
- Provide a name under the App integration name field to identify the integration.
- Grant type by default is set to Authorization Code and we will use the same.
- Sign-in redirect URIs is obtained from the Point of Contact Server URL from Step 1 and is in below format

- Rest of the optional fields can be kept blank.
- For the Assignments, we will select Allow everyone in your organization to access in this tutorial but can be restricted as per your requirement.
- Click Save to complete the configuration
- Upon completion, note the values corresponding to Client Credentials and CLIENT SECRETS which will be used for creating federation partner in Verify Access.
Step 4. Adding Okta as a Federation Partner
- In the Verify Access management console, go to Federation > Federations.
- Select the federation that was created as part of the first step and click Partners. Click Add to add a new partner.

- Enter a name to identify the partner and select the Enabled checkbox. Click Next.Note: This name should be same as we used in the Point of Contact Server URL

- On the Client Credentials tab, enter the value of Client ID and Client Secret obtained from Okta. Click Next.
- On the Metadata Endpoint tab, select Specify metadata endpoint and enter the URL in below format and then click Next.https://<Your Okta Domain>/.well-known/openid-configuration
- On the JWT Signature Verification tab, select Use JWK endpoint in metadata and click Next.
- No changes are being made on the JWT Decryption tab, so click Next.
- On the Scope tab, add email as a new scope and click Next.

- Skip Attribute mapping and click Next.
- On the Identity Mapping Tab, select Use JavaScript transformation for identity mapping and click Next.
- On the Identity Mapping Rule tab, select the default mapping rule OIDCRP and click Next.Note: You can create your own mapping rule as per requirement and upload to Verify Access under Federation>Global Settings>Mapping Rules.

- Select Advanced configuration is not required on the Advanced Configuration tab and click Next.
- Click OK on the summary page to complete the setup.
- Deploy the changes by following the instructions on the banner notification at the top of the console.
Step 4: Testing the integration
To test the integration, access the Point of contact server URL in below format, which should redirect to Okta for authentication.

Summary
In this tutorial, you've learned how to create a basic integration of Okta as an Identity Provider with IBM Verify Access.
Next steps
To learn more about Verify access, follow the product documentation IBM Security Verify Access.