MFA in Hub - Spoke configuration / bookmark app Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Winfried Buwalda (Admin)Winfried Buwalda (Admin) 

MFA in Hub - Spoke configuration / bookmark app

We have a setup where we require MFA when outside the network for apps in our hub org.

Now we have in a spoke org setup a bookmark app pointing to this app in the hub.
When accessing this bookmark we also get prompted for MFA when outside the network.

Is this normal behavior  or can we have different settings on the bookmark app in the spoke than in the app in the hub (so it would not require MFA when logging in to the bookmark app on the spoke)
Evan AlterEvan Alter (Okta, Inc.)
Hello, Winfried -
You are prompted for MFA when clicking on the bookmark app (when off-network) because the MFA policy is applied to the app in the Hub org (or the entire org).

This is the expected behavior. Even though the authentication flow begins in an app (the bookmark) that does not require MFA, the destination still requires it.

You might be able to bypass the MFA challenge to the app if:
  • The MFA challenge is part of an app-level sign on policy (rather than org-level).
  • The end users who access the bookmark are in a discrete group.
  • A new rule is created that allows this group access to the app, but does not challenge for MFA.
  • This rule will need to be higher in the priority list than the rule that challenges for MFA; rules are evaluated in order of priority.

Will this work for you?

Evan Alter
Technical Support Engineer
Okta Global Customer Care