Enable users to log in via Okta without entering a username/password
This topic leverages TrustProvider V2 endpoints for Passwordless authentication. Please ensure you have migrated from V1 endpoints before proceeding.
Review the Passwordless article for a conceptual overview of how Banyan’s Passwordless Authentication Flow works.
Before proceeding through the steps below, please ensure you have:
1.1 Navigate to Applications, and ensure you have the Banyan TrustProvider App Integration.
2.1 Navigate to Settings > TrustProvider Settings > OpenID Connect Settings.
2.2 In the App Client for Passwordless Authentication section, enter your Okta Redirect URL (generally formatted as
https://(your Okta instance name).okta.com/oauth2/v1/authorize/callback) and then click Create.
2.3 Note the OpenID Connect Settings and App Client for Passwordless Authentication configuration fields. You will use these in step 2.
3.1 Switch to the Okta Classic UI for this guide.
3.2 Navigate to Security > Identity Providers > Add Identity Provider. Select
Add OpenID Connect IdP.
3.3 Configure the General Settings and Endpoints:
3.4 In the Advanced Settings, set If no match is found to Redirect to Okta sign-in page so that if no user match is found, we redirect to the Okta sign-in page.
3.5 Click Add Identity Provider.
4.1 Select the Routing Rules tab, and then click Add Routing Rule.
4.2 Name the routing rule Banyan Passwordless Routing, then set it so that authentication requests to the Banyan TrustProvider App Integration get forwarded to the Banyan Passwordless IdP you just created in Step 3.6.
CAUTION: Do not select Any application when you set up this Routing Rule. You must only select the Banyan TrustProvider Application Integration that was configured in Okta. Choosing Any application will lock Admins out of Okta.
4.3 Click Create Rule, and then click Activate.
Since the “Banyan TrustProvider” App Integration is being used for Passwordless Authentication, we need to create a completely different App Integration for device registration via the Banyan Desktop or Mobile Apps.
5.1 Create a new App Integration called “Banyan DeviceRegistrationProvider” following the same steps to set up Okta as your Identity Provider.
6.1 In the Banyan Command Center, return to Settings > TrustProvider Settings > Identity Provider.
6.2 In the Device Registration Provider Config (optional) section, set Device IDP Protocol to OIDC.
6.3 Configure the remaining fields from the Banyan DeviceRegistrationProvider application in Okta:
6.4 Click Update Device Registration Provider Config.
7.1 In Okta, return to Security > Identity Providers > Routing Rules.
7.2 Add a Routing Rule called Banyan Fallback Routing for the Banyan DeviceRegistrationProvider App Integration that uses the default “Okta” identity provider. Now, if a user is sent into the Passwordless flow doesn’t possess a Device Certificate, they will NOT be rejected and instead get sent back into the usual Okta authentication page for their username / password.
CAUTION: Do not select Any application when you set up this Routing Rule. You must only select the Banyan DeviceRegistrationProvider Integration here.
Ensure all your Routing Rules in Okta will apply in the correct order. In general, the more specific the routing rule the higher up it should be placed.
8.1 Ensure the “Banyan Fallback Routing” rule is placed above the “Banyan Passwordless” rule.
By default, when an end user logs out, Okta returns them to the Okta login page. With Passwordless Authentication enabled, end users are automatically logged back in and unable to manually sign out.
To avoid this behavior, set a custom sign-out page in Okta:
9.1 In Okta, navigate to Settings > Customization.
9.2 In the Sign-Out Page settings, click Edit.
9.3 Set the option to Use a custom sign-out page and then enter your preferred sign-out page URL. Then, click Save.
For added security, Banyan strongly recommends enabling multi-factor authentication (MFA) with Passwordless Authentication.
10.1 In Okta, navigate to Security > Authentication > Sign On and then click Add New Okta Sign-on Policy.
10.2 Enter a policy name, description, and assign to groups, then click Create Policy and Add Rule.
10.3 Configure the rule, as follows:
MFA and Session Duration for Passwordless
While we suggest that MFA to be required at least once per day, you should select an option that matches your organization’s security and user experience goals.
10.4 Click Create Rule.
That’s it! You’ve successfully configured Passwordless Authentication for Okta.