Instructions for

Enterprise identity verification vendor

What is an IDV vendor

IDV vendors work like IdPs, with some key differences. Vendors verify your user’s identities by requiring them to submit a proof of identity. The proof of identity matches a user’s digital identity against a trusted data source. For example, a user’s first name and family name can be matched against a picture of their driver’s license or passport. The vendor verifies the user submission against a data source and that evaluation is sent back to Okta.

IdPs authenticate users by verifying their digital credentials. The IdPs also maintain the digital credentials.

Because of its stricter verification, you might only use an IDV vendor for sensitive operations. For example, use an IDV flow when a user enrolls a new authenticator or resets their password.

Create an app at the IDV vendor

, follow these steps to create a

app:

Go to your

CLEAR1
dashboard.
Create a project (opens new window).
In the IDV builder tab, configure how you want to verify your users.
After you've configured your IDV settings, click Save.
Note: You can always return to the IDV builder tab to make other changes to your project.
Click Publish. Set the Environment as Sandbox and then click Publish again.
Go to Integrations, and select the OpenID Connect tab.
Click Add client ID & secret.
Select Okta as the OIDC configuration.
In the first drop-down menu, select Sandbox. In the other drop-down menu, select your project name.
Click Next.
Copy the Client ID and Client Secret values into a text editor. You need these values in the next section.
Under URI allowlist, enter your Okta org's domain and append /idp/identity-verification/callback. For example: https://{yourOktadomain}.okta.com/idp/identity-verification/callback
- The redirect URI is the location where
  
  CLEAR1
  sends the verification response. The URI sent in the verification request from the client needs to match the redirect URI set at the IDV vendor. Ensure that the URI is located in a secure domain that you own.
- For example, if your Okta subdomain is called company, then the URL would be: company.okta.com. If you’ve configured a custom domain in your Okta org, use that value to construct your redirect URI, such as login.company.com.
- Include all base domains (Okta domain and custom domain) that your users interact with in the allowed redirect URI list.
Click Done.

Other IDV vendor configuration

There are more settings for the

app that you can configure. The steps in this guide address the quickest route to set up

as an IDV vendor with Okta.

See the

documentation for more information about other configuration settings.

Create the IDV vendor in Okta

Use the IdP API (opens new window) to add

as an IDV vendor in Okta. Create your own POST request body or copy the example request and input your values.

Note: To add

CLEAR1
using the Admin Console, see Add an Identity Verification vendor as Identity Provider (opens new window).

Set the following request body parameters:
- Enter a value for name.
- Set type to IDV_CLEAR.
- Set ID_PROOFING as the protocol type.
- Use the Client ID and Client Secret values from the previous section as the client_id and client_secret values.
- Set the scopes array to include the profile, identity_assurance, and openid scopes.
  - profile: This scope allows the IDV vendor to request access to basic user profile information from Okta.
  - identity_assurance: This scope requests access to the verified_claims object so that the IDV vendor can send and receive information about the level of assurance of the IDV flow.
  - openid: This scope is required to make the request an OpenID Connect (OIDC) request.
Send the POST /api/v1/idps request.
After you create the IDV vendor, copy the value of id from the response body and paste it into a text editor. Use it in the next section.

Example request

{
  "type": "IDV_CLEAR",
  "name": "CLEAR1 IDV",
  "protocol": {
    "type": "ID_PROOFING",
    "scopes": [
      "profile",
      "identity_assurance",
      "openid"
    ],
    "credentials": {
      "client": {
        "client_id": "your-client-id",
        "client_secret": "your-client-secret"
      }
    }
  },
  "policy": {
    "provisioning": {
      "action": "DISABLED",
      "profileMaster": false,
      "groups": null
    },
    "accountLink": {
      "filter": null,
      "action": "AUTO"
    },
    "subject": {
      "userNameTemplate": {
        "template": "source.userName"
      },
      "filter": null,
      "matchType": "USERNAME",
      "matchAttribute": null
    },
    "maxClockSkew": 0
  }
}

Example response

{
  "id": "0oab50jh0UPiB6xde0w6",
  "name": "CLEAR1 IDV",
  "status": "ACTIVE",
  "created": "2025-01-14T19:59:41.000Z",
  "lastUpdated": "2025-01-14T19:59:41.000Z",
  "protocol": {
    "type": "ID_PROOFING",
    "endpoints": {
      "authorization": {
        "url": "https://verified.clearme.com/oauth/idv_authorize",
        "binding": "HTTP-REDIRECT"
      },
      "token": {
        "url": "https://verified.clearme.com/hydra/oauth2/token",
        "binding": "HTTP-POST"
      },
      "par": {
        "url": "https://verified.clearme.com/oauth/par",
        "binding": "HTTP-POST"
      }
    },
    "scopes": [
      "openid",
      "profile",
      "identity_assurance"
    ],
    "credentials": {
      "client": {
        "client_id": "your-client-id",
        "client_secret": "your-client-secret"
      }
    }
  },
  "policy": {
    "provisioning": {
      "action": "DISABLED",
      "profileMaster": false,
      "groups": null
    },
    "subject": {
      "userNameTemplate": {
        "template": "source.userName"
      },
      "filter": null,
      "matchType": "USERNAME",
      "matchAttribute": null
    },
    "maxClockSkew": 0
  },
  "type": "IDV_CLEAR",
  "_links": {
    "users": {
      "href": "https://{yourOktaDomain}/api/v1/idps/0oab50jh0UPiB6xde0w6/users",
      "hints": {
        "allow": [
          "GET"
        ]
      }
    },
    "deactivate": {
      "href": "https://{yourOktaDomain}/api/v1/idps/0oab50jh0UPiB6xde0w6/lifecycle/deactivate",
      "hints": {
        "allow": [
          "POST"
        ]
      }
    }
  }
}

Map profile attributes from Okta to your IDV vendor

Early Access

After you've created the IDV vendor in Okta, you can map other profile attributes from your user directory to attributes in your IDV vendor. Okta sends the givenName and familyName attributes by default. You can map other attributes as needed. See Map profile attributes from Okta to an identity verification vendor (opens new window).

Create an Okta account management policy rule

Use the Policies API (opens new window) to create a rule that requires

to verify users when they enroll a new authenticator. Create your own POST request body or copy the example request and input your values.

Ensure that you’ve created a group for users who you want to verify with

. For example, create a group called "CLEAR1 IDV test group".

Note: To add a rule using the Admin Console, see Edit the Okta account management policy (opens new window).

Retrieve the Okta account management policy ID. Use the Okta account management policy id as the policyId value in your POST request to create the IDV rule.
Set the following request body parameters for the new IDV rule that you want to create:
- Provide a name value.
- Use the Okta account management policy id as the policyId value.
- Set the group ID. Use the List all groups call (opens new window) to find the id for the test group.
- Set the verificationMethod type to ID_PROOFING.
- Set the verificationMethod.id as the ID of the
  
  CLEAR1
  IdP that you created in the previous section.
- Set appSignOn access value to ALLOW.
- Use the following Okta Expression Language object:
```
    "elCondition": {
        "condition": "accessRequest.operation == 'enroll'"
    }
```
This expression requires users to verify their identity with the IDV vendor when they enroll a new authenticator.
Send the POST /api/v1/policies/{policyId}/rules request.

Okta account management policy rule example request

{
    "name": "Require IDV for authenticator enrollment",
    "priority": 1,
    "type": "ACCESS_POLICY",
    "system": false,
    "conditions": {
        "people": {
            "groups": {
                "include":
                    ["{groupId}"]
            }
        },
        "network": {
            "connection": "ANYWHERE"
        },
        "riskScore": {
            "level": "ANY"
        },
        "elCondition": {
            "condition": "accessRequest.operation == 'enroll'"
        },
        "userType": {
            "include": [],
            "exclude": []
        }
    },
    "actions": {
        "appSignOn": {
            "access": "ALLOW",
            "verificationMethod": {
                "id": "{IDVId}",
                "type": "ID_PROOFING"
            }
        }
    }
}

Example response

{
    "id": "ruleId",
    "status": "ACTIVE",
    "name": "Require IDV for authenticator enrollment",
    "priority": 1,
    "created": "2024-11-14T21:16:55.000Z",
    "lastUpdated": "2024-11-14T21:16:55.000Z",
    "system": false,
    "conditions": {
        "people": {
            "users": {
                "exclude": []
            },
            "groups": {
                "include": [
                    {"groupId"}
                ]
            }
        },
        "network": {
            "connection": "ANYWHERE"
        },
        "riskScore": {
            "level": "ANY"
        },
        "elCondition": {
            "condition": "accessRequest.operation == 'enroll'"
        },
        "userType": {
            "include": [],
            "exclude": []
        }
    },
    "actions": {
        "appSignOn": {
            "access": "ALLOW",
            "verificationMethod": {
                "id": {"IDVId"},
                "type": "ID_PROOFING"
            }
        }
    },
    "_links": {
        "self": {
            "href": "https://{yourOktadomain}/api/v1/policies/rstjqw4t47yn9lXUK5d7/rules/rull5mrtqkAVfIyWT5d7",
            "hints": {
                "allow": [
                    "GET",
                    "PUT",
                    "DELETE"
                ]
            }
        },
        "deactivate": {
            "href": "https://{yourOktadomain}/api/v1/policies/rstjqw4t47yn9lXUK5d7/rules/rull5mrtqkAVfIyWT5d7/lifecycle/deactivate",
            "hints": {
                "allow": [
                    "POST"
                ]
            }
        }
    },
    "type": "ACCESS_POLICY"
}

Test the integration

You now have a

project in a Sandbox environment. You can configure different IDV settings in the Sandbox environment and perform test verifications to see how your IDV flow works.

Go to your

CLEAR1
dashboard.
Go to Projects and select your project.
Click Preview.
Click Generate to create a link to a test verification session.
Open the generated link in a new browser tab.

You can use the link to test the IDV flow or you can share it with others. In the Sandbox environment, no actual verifications are performed. You can use test credentials to complete the verification. The test verification doesn't interact with Okta so you can only test the IDV flow.

To test the integration with Okta, you must use a real user account with verifiable user information and use a Production environment project. For example, if your IDV flow requires a government-issued ID, your user account must have an ID that matches that requirement.

When you're ready to go live with your

project, you can publish your project to the Production environment. See Going Live with

Note: Your user may not be able to complete the IDV flow if their information doesn't match the verifiable information required by your IDV vendor. Review the System Log (opens new window) if you encounter errors when testing the IDV flow. See Identity verification events for information about IDV events in the System Log.

Alternate use cases

You can use your IDV vendor to verify your user identities in different scenarios. Use the following Okta Expression Language expressions for different scenarios.

Note: You can use the Okta account management policy rule without any expression. If you don't use any expression in the rule then your user is prompted to verify their identity when at least one of the following events occurs:

They enroll or unenroll authenticators.

They edit their personal information in their Settings.

They reset their password in Settings or in the Sign-in widget.

They unlock their account.

Verify user identity only when they enroll an authenticator

accessRequest.operation == 'enroll'

Verify user identity only when they reset their password

accessRequest.authenticator.key == 'okta_password' && accessRequest.operation == 'recover'

Verify user identity only when they enroll phishing-resistant authenticators

{
  'okta_verify',
  'webauthn',
  'smart_card_idp',
  'yubikey_token'
}.contains(accessRequest.authenticator.key) &&
accessRequest.operation == 'enroll'

Troubleshooting

When you test the integration, if you’re not redirected to the IDV flow, review the following areas:

Review the user and group that you created. Ensure that you’ve set the correct group ID when you create the Okta account management policy rule.
Review the Okta account management policy rule. Ensure that you’ve added the correct Okta Expression Language expression and that the verificationMethod type is set to ID_PROOFING.
Ensure that your user has the authenticators that they're allowed to enroll.

Edit This Page On GitHub