<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Skip Multi-Factor Authentication When Logging Into Org2Org via the Okta Dashboard Tile

Single Sign-On
Okta Classic Engine
Okta Identity Engine
All Engines

Overview

Configuring claims sharing allows an Identity Provider (hub) to pass authentication context to a Service Provider (spoke) organization, eliminating duplicate MFA challenges when accessing the Org2Org application through a tile in the Okta dashboard. A user successfully logs into the Okta Dashboard and selects a tile to log in to an Okta Identity Engine (OIE) tenant via an Org2Org application. In the default configuration, Okta challenges the user for MFA even after the user has proven their identity by logging in to the original organization. The desired login experience requires the user to log in to the dashboard from the IdP, select the Org2Org tile, and immediately authenticate. When the user attempts to log in directly to the OIE organization, Okta prompts for MFA.

Applies To

  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Single Sign On (SSO)
  • Org2Org integrations
  • Identity Provider (IdP)

Solution

How does claims sharing function?

When an administrator enables claims sharing, the user authenticates to the IdP (hub) organization and completes the required MFA. The IdP includes authentication claims in the Security Assertion Markup Language (SAML) OktaAuth payload sent to the SP (spoke) organization. The SP organization trusts these claims and understands the authentication context. Policies in the SP organization recognize the trusted claims and do not re-challenge the user for MFA. 

For direct logins to the SP organization, local policies still require MFA.

 

Prerequisites for Configuring Claims Sharing

Review the required prerequisites before configuring claims sharing.

  • An Okta SP organization and an Okta IdP organization configured for an Org2org use case.
  • If using a custom domain on the IdP organization, the organization requires an Okta-managed certificate.
  • The SP organization requires an active Org2Org application integration.

NOTE: Ensure that authentication policies across both the IdP and SP organizations are synchronized. The authentication context provided by the IdP must satisfy the specific assurance levels mandated by the SP. For instance, if the SP organization necessitates phishing-resistant factors or possession-based authentication, the IdP must validate these criteria prior to transmitting the claim. If the initial login only involves a knowledge factor, such as a password, Okta re-challenges the user for MFA to meet the SP organization’s security standards.

 

Enable Trust Claims on the Service Provider Organization

Navigate to the Identity Providers settings in the Service Provider organization, select the Okta IdP, and enable the trust claims configuration.

  1. In the SP organization, go to Security > Identity Providers.
  2. For the IdP organization (hub), select Actions, and then select Configure Identity provider.
  3. Select Edit, and then under the IdP's Authentication Settings configuration, select the Trust claims from this identity provider checkbox.
  4. Select Save.

Okta IdP trust claims checkbox

NOTE: If configuring via API, add "trustClaims": true to the IdP policy section.

 

Related References

Loading
Okta Support - Skip Multi-Factor Authentication When Logging Into Org2Org via the Okta Dashboard Tile