Map profile attributes from Okta to an identity verification vendor

Okta lets you map multiple profile attributes from Okta to the identity verification (IDV) vendor. Mapping profile attributes increases the assurance level of the IDV. Mappings flow one way from Okta to the IDV vendor. Mapping helps the IDV vendor process the user's identity correctly. You can start this procedure from the Identity Providers page, or from the Profile Editor page.

Before you begin

Set up a pre-configured or custom IDV vendor. See Add a pre-configured identity verification vendor or Add a custom identity verification vendor.

Start from the Identity Providers page

In the Admin Console, go to SecurityIdentity Providers.
Click Actions for the IDV vendor you want to map profile attributes with.
Select Edit profile and mappings. The Profile Editor page appears.
Click Mappings. If more than one user type is available, select one from the dropdown menu. The IDV vendor User Profile Mappings page appears.
Continue with the Map the attributes from Okta to the IDV vendor procedure.

Start from the Profile Editor

In the Admin Console, go to DirectoryProfile Editor.
Click Mappings for the IDV vendor profile you want to map attributes for. If more than one user type is available, select the user type from the dropdown menu. The IDV vendor User Profile Mappings page appears.
Continue with the Map the attributes from Okta to the IDV vendor procedure.

Map the attributes from Okta to the IDV vendor

Early Access release. See Enable self-service features.

By default, the user's first name and last name attributes are mapped. They're required for completing the IDV. Mapping more attributes helps the IDV vendor process the request more accurately.

Find the name of the IDV vendor's attribute in the right column.
In the Okta column on the left, click the triangle beside the corresponding IDV vendor's attribute.
Select the Okta attribute that you want to map to the IDV vendor attribute from the list. You can also use Okta Expression Language to generate the attribute name. For example, if the IDV vendor calls the first name given_name, you could map an Okta attribute like user.firstName or user.legalName to it.
Some IDV vendors process all address attributes as a single component. Map all of these attributes to avoid failures when verifying addresses:
- streetAddress
- locality
- region
- postalCode
- countryCode
Consult your IDV vendor documentation for details about how they process addresses.
Repeat these steps for each attribute that you want to map.
Click Save mappings. Or, to preview the change, enter a user's name in the field beside Preview and click Preview. Okta displays the first and last name of the user in the IDV vendor column.
Click Exit preview.
Click Apply updates. Okta displays the attributes in the Attributes list.
To require an attribute to be sent in the claim to IDV vendors, select the i icon for an attribute.
Select Yes for the Attribute required option.
Click Save Attribute.

Create an Okta account management policy rule

After you've created an IDV vendor identity provider (IdP) and mapped profile attributes to it, create a rule in the Okta account management policy that requires your custom IDV vendor to verify users when they enroll a new authenticator. Ensure that you've created a group for users you want to verify with your custom IDV vendor. For example, create a group called "Custom IDV test group."

See Edit the Okta account management policy. The conditions and fields of an Okta account management policy rule are similar to those in an app sign-in policy. For defaults and definitions, see Add an app sign-in policy rule.