Idp Routing for Social Login Users

Our application allows users to login via a “social” idp like Microsoft and Google in addition to customer-specific Idps or just plain old username and password. Ideally we’d like to set up a routing rule for the social Idp so that users who initially signed up using a social login will automatically get routed to the social idp when they enter their email address in the sign-in widget. I see that these types of users have “SOCIAL” in their credentials property of the user object and we can query further to find the specific idp they are associated with (e.g. google or microsoft). My questions is how can we set up an Idp routing rule that will route these users to their social idp when they enter their email. The alternative is to put a “Login with Google” button and force our users to remember how they authenticated when they signed up but it creates unnecessary confusion. It looks like you can set up routing based on user profile attributes but i don’t see one that we could use to determine which social Idp to route them to. Thanks!

You won’t have access to the credentials object of a users profile from the routing rules.
One option you could do is create a new attribute in the Okta users profile. For example ‘social_idp’ that is optional. In the social IdP user profile mappings, create a static value that maps to the Okta user profile that indicates which IdP is being used.
This way each time a user logs in from the social IdP this attribute will be populated in their Okta user profile. Then create a routing rule for each social IdP that checks if the Okta user profile has the social_idp attribute and if so if it contains whatever value you assign for each IdP.

Thanks Erik! that was really helpful. We’ve got what you suggested working except we can’t figure out how to get that “social_idp” value set for existing users when they login via the social idp. I see on the idp profile mapping page there is a “Apply mapping on user create only” but there are not any other options. I read somewhere that there is a possible setting to apply mapping on user create and profile update. Do you happen to know how to get that option available on the profile mapping page? Thanks!

When you view the mappings note there are two different mappings (look at the top of the columns)

One is for the application user profile to the Okta user profile
and one is the other way around

The mapping of the application user profile to the Okta user profile should allow both create/update.