<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Skip MFA When Logging into Org2Org via the Okta Dashboard Tile (IdP Login)
Mar 30, 2026
Single Sign-On
Multi-Factor Authentication
Overview

A user successfully logs into their Okta Dashboard via their Identity Provider (IdP). The user then clicks a tile on the Okta Dashboard to log in to their Okta Identity Engine (OIE) tenant via an Org2Org app. In the default configuration, the user is challenged for MFA even after already proving their identity by logging into the original Org.
 

Desired Login Experience:

  1. The user logs into the dashboard from their IdP
  2. Clicks on the Org2Org tile, and is immediately authenticated.
    • When the user attempts to log in directly to the OIE org, they should be prompted for MFA.
Applies To
  • Okta Identity Engine (OIE)
  • Multi-Factor Authentication (MFA)
Solution

This method uses a Global Session Policy and rules to determine where the user is logging in from, and Global Session Policies must be applied to a group in order to be active in the Okta Org.

NOTE: All these items MUST be created in the Target Org (Hub).

 

Steps

  1. Create a new Okta Group (Directory > Groups > Add group) called "Skip MFA Group" or another descriptive title, and add at least one user (for testing).

  2. Create a new Global Session Policy (Security > Global Session Policy > Add Policy) called "IdP Login Policy" or another descriptive title, and assign it to the "Skip MFA Group" group created in Step 1.

  3. Once the "IdP Login Policy" is created, add a new rule (Security > Global Session Policy > IdP Login Policy > Add rule), and name it "IdP Login Rule" or another descriptive title.

    • Set the following configurations in the "IdP Login Rule" to specify how sessions will behave when using the IdP to log in (if a configuration is not listed here, the default config is in use):

      1. AND Identity provider is [the desired IdP]

      2. Multifactor authentication (MFA) is Not required

Multifactor authentication (MFA) is Not required  

  1. Create a new Authentication policy (Security > Authentication Policies > Add a policy) with the title "Skip MFA - IdP Org2Org" or another descriptive title.

  2. Add a rule to the new "Skip MFA - IdP Org2Org" policy with a rule name of "Skip MFA Rule" or another descriptive title.

    • Set the following configurations in the "Skip MFA Rule" to specify the MFA skip behavior for this rule (if a configuration is not listed here, the default config is in use):

      • AND User's group membership includes "Skip MFA Group"

AND User's group membership includes

      • AND User must authenticate with Any 1 factor type / IdP

AND User must authenticate with Any 1 factor type / IdP  

      • AND If Okta FastPass is used The user is not required to approve a prompt in Okta Verify or provide biometrics

  2. Click on the Applications tab of the "Skip MFA - IdP Org2Org" policy and add the Okta Dashboard with the Add app button.

  3. Test the configuration by:

    1. Log in to the Okta Dashboard via the IdP.

    2. Click on the Org2Org app tile for the OIE org.

    3. Confirm that there is no MFA challenge, and the user is immediately redirected to the Okta Dashboard for the OIE user.

    4. Logout.

    5. Log in to the OIE environment directly (for example, https://<org>.okta.com).

    6. Confirm that the user is challenged for MFA.


Related References

Recommended content

Still looking for help?
Loading
How to Skip MFA When Logging into Org2Org via the Okta Dashboard Tile (IdP Login)