Get started with Okta integration

Set up Okta integration to fit into your authentication flow.

To use Sumsub’s Okta integration, you need the following:

  • Okta Identity Engine (not Okta Classic).
  • A Sumsub account.
  • Okta administrator access.

To get started, contact your Sumsub Customer Success Manager. They will enable the integration for your account.

Once the integration is enabled, follow the steps below.

Step 1. Set up identity proofing (IDV provider flow)

In Sumsub

  1. In the Marketplace, navigate to Okta Identity Verification and click Settings.
  2. In the side panel that opens, select the following:
    • Standard verification level to define the level that will be used for the full verification procedure applied to new employees.

    • Applicant-action level to define how to recheck existing employees.

      📘

      Note

      • You need to have at least one verification level. To create a new level, refer to this article.

      • The standard verification level is typically used for first-time proofing (such as onboarding), where Sumsub creates a new applicant profile and runs a full check. In contrast, the applicant-action level is triggered for existing employees who already have a profile and is used for subsequent or follow-up verifications.

        If your flow requires an applicant-action level, configure it according to your verification logic. If not, leave the field empty.

        Alternatively, you can set up the applicant-action level as a re-check against the current applicant and a atandard verification level as the fallback for users who don't have an applicant.

  3. Enter the following to set up how the levels will resolve:
    • Okta Org URL — your Okta org's base domain.

    • Okta API Token — an Okta SSWS token.

      📘

      Note

      • Org URL must have the following format: https://yourcompany.okta.com. Do not use the admin console URL, as it breaks the redirect.

      • The integration requires read access to users. To enable it, you must create an API token under the Read-Only Administrator role (or a custom role with the View users permission). The token is created in Okta: Security → API → Tokens → Create token.

        Name the token Sumsub and copy it right after creation.

  4. Click Enable Integration and confirm your selection.
  5. Copy the Client ID and Client Secret from the dialog box that will be displayed.
  6. Click I've saved the credentials.
    📘

    Note

    To recover a lost Client ID or Client Secret, disable the integration and enable it again.

In Okta

  1. In the Admin Console, navigate to Security → Identity Providers, click Add Identity Provider, select Custom IDV, and click Next.
  2. Fill the form based on the data you used to enable the Okta Identity Verification integration in Sumsub:
    • General → Instance name — the name of the integration, for example, Sumsub IDV.

    • End-user sign-in experience → Vendor name — the name visible to end users during verification, for example, Sumsub.

    • EULA URL+Privacy statement URL — data pulled from the Sumsub integration settings.

    • Vendor credentials → Client ID+Client Secret — the credentials retrieved from the one-time dialog box in the Sumsub integration settings.

    • Scopes openid profile identity_assurance (prefilled).

    • Endpoints — connection details from the Sumsub integration settings: Issuer URL, PAR request URL, Authorize URL, Token URL, JWKS URL.

    • User attributes — default (First/Last name).

      📘

      Note

      The 0Auth credentials (client ID, client secret, issuer URL) are only provided after the integration is complete on the Sumsub side.

  3. Click Finish.

For more information, refer to the Okta user guide.

Step 2. Set up the authentication factor (IdP authenticator flow)

In Sumsub

  1. In the Marketplace, navigate to Okta IdP Authenticator and click Settings.
    In the side panel that opens, select:
  2. In the side panel that opens, select the following:
    • Standard verification level to define the level that will be used for the full verification procedure applied to new employees.

    • Applicant-action level to define how to recheck existing employees.

      📘

      Note

      • You need to have at least one verification level. To create a new level, refer to this article.

      • The standard verification level is typically used for first-time proofing (such as onboarding), where Sumsub creates a new applicant profile and runs a full check. In contrast, the applicant-action level is triggered for existing employees who already have a profile and is used for subsequent or follow-up verifications.

        If your flow requires an applicant-action level, configure it according to your verification logic. If not, leave the field empty.

        Alternatively, you can set up the applicant-action level as a re-check against the current applicant and a standard verification level as the fallback for users who don't yet have an applicant.

  3. Enter the following to set up how the levels will resolve:
    • Okta Org URL — your Okta org's base domain.

    • Okta API Token — an Okta SSWS token.

      📘

      Note

      • Org URL must have the following format: https://yourcompany.okta.com. Do not use the admin console URL, as it breaks the redirect.

      • The integration requires read access to users. You must create an API token under the Read-Only Administrator role (or a custom role with the View users permission). The token is created in Okta: Security → API → Tokens → Create token.

        Name the token Sumsub and copy it right after creation.

  4. Click Enable Integration and confirm your selection.
  5. Copy the Client ID and Client Secret from the dialog box that will be displayed.
  6. Click I've saved the credentials.

In Okta

  1. In the Admin Console, navigate to Security → Identity Providers, click Add Identity Provider, select OpenID Connect IdP, and click Next.
  2. Fill out the form based on the data you used to enable the IdP Authenticator integration in Sumsub:
    • Name — the name visible to end users during verification, for example, Sumsub Liveness.

    • IdP Usage — Factor only.

    • Scopes openid profile email (prefilled).

    • Client ID + Client Secret — the credentials retrieved from the one-time dialog box in the Sumsub integration settings.

    • Authentication type — Client secret.

    • Endpoints — connection details from the Sumsub card's settings: Issuer, Authorization endpoint, Token endpoint, and JWKS endpoint.

    • IdP username — default idpuser.email.

    • Leave all optional toggles (Enable signed requests, Require PKCE, Send Okta application context, JIT "update attributes) unchecked.

      📘

      Note

      The 0Auth credentials (client ID, client secret, issuer URL) are only provided after the integration is complete on the Sumsub side.

    3. Click Finish again.

For more information, refer to the Okta user guide.

Step 3. Create IdP authenticator (IdP authenticator flow)

  1. In Okta navigate to Security → Authenticators and click Add Authenticator.
  2. Find the IdP Authenticator in the list and click Add.
  3. Select the identity provider you created for Sumsub from the dropdown and click Add again.
  4. Click Enable Integration and confirm your selection.
  5. Copy the Client ID and Client Secret from the dialog box that will be displayed.
  6. Click I've saved the credentials.
    📘

    Note

    You need to have at least one factor to enable the flow.

For more information, refer to the Okta user guide.

Step 4. Configure Okta policies (any flow)

Once the Sumsub IDV provider and the Sumsub authenticator are configured, you must define how they will be used in Okta. Because every step of the flow is fully adjustable, you can tailor the integration to your exact needs.

To do this, add Sumsub to the Okta policy rules that govern your user journeys. Once added, specific employee actions will trigger verification based on your assigned verification level.

Sumsub can be applied to two types of Okta policies, both managed in the Okta Admin Console under Security → Authentication Policies:

The Account Management Policy initiates verification during account-related actions such as onboarding, account recovery, account unlocking, or sensitive profile updates.

Depending on the verification level you choose, your rule may require either the Sumsub IDV provider (for identity proofing) or the Sumsub authenticator.

Example 1. Identity proofing during onboarding

  1. Navigate to Security → Authentication Policies → Okta account management.
  2. Add a new rule or update an existing rule for the target flow.
  3. In the rule conditions, select relevant users or groups.
  4. Add a condition that targets the account moment, like accessRequest.operation == 'enroll.'
  5. In the rule action section, under Access is, select Allowed after successful identity verification.
  6. In the identity-verification provider, select the Sumsub IDV provider you created previously.
  7. Save the rule and confirm that it is ordered correctly within the policy.

Example 2. Authentication during password recovery

  1. Repeat steps 1-3 from the previous example.
  2. Add a condition that targets the recovery operation: accessRequest.operation == 'recover.'
  3. Repeat steps 5-7.

For more information, refer to the Okta user guide.

You can also configure your Authentication Policy to require Sumsub authentication when a user signs in to an application or triggers a step-up authentication flow. Depending on your security needs, you can require verification for every sign-in or only when specific risk conditions are met.

Example. Verification on a risky sign-in (when the sign-in context differs from the user's usual pattern)

  1. Open Security → Authentication Policies → App sign-in and select the policy for your application.
  2. Add a new rule. In the rule conditions, select the relevant users or groups, and add a risk condition using Okta Behavior Detection, like security.behaviors.contains('New Device') (or 'New City' / 'New Country').
  3. Under User must authenticate with, require a password and the Sumsub authenticator.
  4. Place this rule before your standard sign-in rule, so unusual sign-ins trigger it first.
  5. Save the rule, and confirm the policy is assigned to the application.

For more information, refer to the Okta user guide.