Problem with ForceAuthN double prompting for credentials Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmixqay&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Tom RixomTom Rixom 

Problem with ForceAuthN double prompting for credentials

Hi,

Previously when sending a SAMLRequest to OKTA using this flag and set to true it would simply reprompt the user for credentials (once) and then return to our SAML SP.

Recently however it seems OKTA will now prompt the user twice for credentials, once to access OKTA, and then again to access the APP.

If you set the "Honor the ForceAuthN" option in the OKTA APP to false this behaviour goes away.

Our question is, is this by design (which is not great..)? or is this a bug?

Thanks,

Tom 

Kyle AndersenKyle Andersen (Okta, Inc.)
Hi Tom,

ForceAuthN is one of the configuration options available for a custom SAML app in Okta.You can see from our documentation(https://support.okta.com/help/articles/Knowledge_Article/Configuring-Okta-Template-SAML-20-application):  Force Authentication (Optional) - When selected, your users will be prompted for their credentials when a SAML request has the ForceAuthn attribute set to true, even if they are already logged in to Okta (They will need to enter their credentials even if they normally login through Desktop SSO). If this box is left unchecked the flag will be ignored. 

I'm not aware of any changes regarding this, though the forced authentication is intended once. I see that you made a support case regarding it. I'll make sure we follow-up to determine if any changes were made, and if this is indeed flagged as a bug through that investigation, we'll be happy to work towards a solution on it. 

Thank You,
Kyle Andersen
Okta Global Customer Care
Tom RixomTom Rixom
Hi Kyle, So forceAuthN is meant to be sent by the SP, which is us in this case. We are requesting the IDP to ignore any sessions and reauth the user. The user then returns to the SP with a fresh SAML token. However in the case of OKTA it seems it also uses this to force reauth in OKTA itself. The negative side of this is that our customers are now seeing their users having to enter their credentials (including OTP) twice. This does not make sense, forceauthn is meant to reauth the user, not completly ignore your own internal session management. I guess its how you view ForceAuthN, as somehting between us the SP and you the IDP, or within your own internal session management (which does not make much sense for us). Thanks, Tom