diff --git a/controllers/operator/ingress.go b/controllers/operator/ingress.go
index b81e2d3c..e5db79cf 100644
--- a/controllers/operator/ingress.go
+++ b/controllers/operator/ingress.go
@@ -34,6 +34,8 @@ var ingressList []string = []string{
 	"id-mgmt",
 	"idmgmt-v2-api",
 	"platform-auth",
+	"platform-id-auth-block",
+	"platform-id-auth",
 	"platform-id-provider",
 	"platform-login",
 	"platform-oidc-block",
@@ -94,6 +96,8 @@ func (r *AuthenticationReconciler) handleIngress(instance *operatorv1alpha1.Auth
 		idMgmtIngress,
 		idmgmtV2ApiIngress,
 		platformAuthIngress,
+		platformIdAuthBlockIngress,
+		platformIdAuthIngress,
 		platformIdProviderIngress,
 		platformLoginIngress,
 		platformOidcBlockIngress,
@@ -345,6 +349,112 @@ func platformAuthIngress(instance *operatorv1alpha1.Authentication, scheme *runt
 
 }
 
+func platformIdAuthBlockIngress(instance *operatorv1alpha1.Authentication, scheme *runtime.Scheme) *netv1.Ingress {
+	pathType := netv1.PathType("ImplementationSpecific")
+	reqLogger := log.WithValues("Instance.Namespace", instance.Namespace, "Instance.Name", instance.Name)
+	newIngress := &netv1.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "platform-id-auth-block",
+			Namespace: instance.Namespace,
+			Labels:    map[string]string{"app": "platform-auth-service"},
+			Annotations: map[string]string{
+				"kubernetes.io/ingress.class":              "ibm-icp-management",
+				"icp.management.ibm.com/location-modifier": "=",
+				"icp.management.ibm.com/configuration-snippet": `
+					add_header 'X-XSS-Protection' '1' always;
+					`,
+			},
+		},
+		Spec: netv1.IngressSpec{
+			Rules: []netv1.IngressRule{
+				{
+					IngressRuleValue: netv1.IngressRuleValue{
+						HTTP: &netv1.HTTPIngressRuleValue{
+							Paths: []netv1.HTTPIngressPath{
+								{
+									Path:     "/idauth/oidc/endpoint",
+									PathType: &pathType,
+									Backend: netv1.IngressBackend{
+										Service: &netv1.IngressServiceBackend{
+											Name: "default-http-backend",
+											Port: netv1.ServiceBackendPort{
+												Number: 80,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	// Set Authentication instance as the owner and controller of the Ingress
+	err := controllerutil.SetControllerReference(instance, newIngress, scheme)
+	if err != nil {
+		reqLogger.Error(err, "Failed to set owner for Ingress")
+		return nil
+	}
+	return newIngress
+
+}
+
+func platformIdAuthIngress(instance *operatorv1alpha1.Authentication, scheme *runtime.Scheme) *netv1.Ingress {
+	pathType := netv1.PathType("ImplementationSpecific")
+	reqLogger := log.WithValues("Instance.Namespace", instance.Namespace, "Instance.Name", instance.Name)
+	newIngress := &netv1.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "platform-id-auth",
+			Namespace: instance.Namespace,
+			Labels:    map[string]string{"app": "platform-auth-service"},
+			Annotations: map[string]string{
+				"kubernetes.io/ingress.class":            "ibm-icp-management",
+				"icp.management.ibm.com/secure-backends": "true",
+				"icp.management.ibm.com/rewrite-target":  "/",
+				"icp.management.ibm.com/configuration-snippet": `
+					add_header 'X-Frame-Options' 'SAMEORIGIN' always;
+					add_header 'X-Content-Type-Options' 'nosniff';
+					`,
+			},
+		},
+		Spec: netv1.IngressSpec{
+			Rules: []netv1.IngressRule{
+				{
+					IngressRuleValue: netv1.IngressRuleValue{
+						HTTP: &netv1.HTTPIngressRuleValue{
+							Paths: []netv1.HTTPIngressPath{
+								{
+									Path:     "/idauth",
+									PathType: &pathType,
+									Backend: netv1.IngressBackend{
+										Service: &netv1.IngressServiceBackend{
+											Name: "platform-auth-service",
+											Port: netv1.ServiceBackendPort{
+												Number: 9443,
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	// Set Authentication instance as the owner and controller of the Ingress
+	err := controllerutil.SetControllerReference(instance, newIngress, scheme)
+	if err != nil {
+		reqLogger.Error(err, "Failed to set owner for Ingress")
+		return nil
+	}
+	return newIngress
+
+}
+
 func platformIdProviderIngress(instance *operatorv1alpha1.Authentication, scheme *runtime.Scheme) *netv1.Ingress {
 	pathType := netv1.PathType("ImplementationSpecific")
 	reqLogger := log.WithValues("Instance.Namespace", instance.Namespace, "Instance.Name", instance.Name)
diff --git a/controllers/operator/resourcestatus.go b/controllers/operator/resourcestatus.go
index b782b261..f179af19 100644
--- a/controllers/operator/resourcestatus.go
+++ b/controllers/operator/resourcestatus.go
@@ -230,6 +230,7 @@ func (r *AuthenticationReconciler) getCurrentServiceStatus(ctx context.Context,
 		names: []string{
 			"id-mgmt",
 			"platform-auth",
+			"platform-id-auth",
 			"platform-id-provider",
 			"platform-login",
 			"platform-oidc",
diff --git a/controllers/operator/routes.go b/controllers/operator/routes.go
index 24433565..68b85dff 100644
--- a/controllers/operator/routes.go
+++ b/controllers/operator/routes.go
@@ -184,6 +184,18 @@ func (r *AuthenticationReconciler) handleRoutes(ctx context.Context, instance *o
 			DestinationCAcert: platformIdentityProviderCert,
 			ServiceName:       PlatformIdentityProviderServiceName,
 		},
+		"platform-id-auth": {
+			Annotations: map[string]string{
+				"haproxy.router.openshift.io/balance":        "source",
+				"haproxy.router.openshift.io/rewrite-target": "/",
+			},
+			Name:              "platform-id-auth",
+			RouteHost:         routeHost,
+			RoutePath:         "/idauth",
+			RoutePort:         9443,
+			DestinationCAcert: platformAuthCert,
+			ServiceName:       PlatformAuthServiceName,
+		},
 		"platform-id-provider": {
 			Annotations: map[string]string{
 				"haproxy.router.openshift.io/rewrite-target": "/",
@@ -265,29 +277,6 @@ func (r *AuthenticationReconciler) handleRoutes(ctx context.Context, instance *o
 	return
 }
 
-func (r *AuthenticationReconciler) removeIdauth(ctx context.Context, instance *operatorv1alpha1.Authentication) (err error) {
-	namespace := instance.Namespace
-	reqLogger := log.WithValues("func", "ReconcileRoute", "namespace", namespace)
-	reqLogger.Info("Determined platform-id-auth Route should not exist; removing if present")
-	observedRoute := &routev1.Route{}
-	err = r.Get(ctx, types.NamespacedName{Name: "platform-id-auth", Namespace: namespace}, observedRoute)
-	if errors.IsNotFound(err) {
-		return nil
-	} else if err != nil {
-		reqLogger.Error(err, "Failed to get existing platform-id-auth route for reconciliation")
-		return
-	}
-	err = r.Delete(ctx, observedRoute)
-	if errors.IsNotFound(err) {
-		return nil
-	} else if err != nil {
-		reqLogger.Error(err, "Failed to delete platform-id-auth Route")
-		return
-	}
-	reqLogger.Info("Successfully deleted platform-id-auth Route")
-	return
-}
-
 func (r *AuthenticationReconciler) reconcileRoute(ctx context.Context, instance *operatorv1alpha1.Authentication, fields *reconcileRouteFields, needToRequeue *bool) (err error) {
 
 	namespace := instance.Namespace
@@ -295,13 +284,6 @@ func (r *AuthenticationReconciler) reconcileRoute(ctx context.Context, instance
 
 	reqLogger.Info("Reconciling route", "annotations", fields.Annotations, "routeHost", fields.RouteHost, "routePath", fields.RoutePath)
 
-	err = r.removeIdauth(ctx, instance)
-
-	if err != nil {
-		reqLogger.Error(err, "Error deleting platform-id-auth Route")
-		return
-	}
-
 	calculatedRoute, err := r.newRoute(instance, fields)
 	if err != nil {
 		reqLogger.Error(err, "Error creating desired route for reconcilition")