During the configuration of an Org2Org OpenID Connect (OIDC) integration using a custom domain, Okta fails to propagate Authentication Methods References (AMR) claims to the downstream spoke tenant. This failure causes the spoke tenant to re-challenge users for multifactor authentication (MFA). This occurs because the custom domain uses a self-managed certificate rather than an Okta-managed certificate. Configuring the custom domain with an Okta-managed certificate or using the standard Okta domain resolves the issue.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Org2Org integration
• Custom domains
• Claim sharing

Users are prompted to re-enter MFA because the custom domain uses a self-managed certificate. When a custom domain for the Okta Identity Provider (IdP) organization uses a self-managed certificate, the downstream Okta Service Provider (SP) org ignores the okta_auth claim in the ID token. Additionally, the AMR claims fail to propagate, and the spoke tenant re-challenges the user for MFA.

How is the multifactor authentication reprompt resolved?

Implement an Okta-managed certificate or use the standard Okta domain to resolve the multifactor authentication reprompt.

• Use the default Okta-managed certificate for the custom domain.
• Use the standard Okta domain (for example, https://<org>.okta.com) for the integration endpoints instead of the custom domain.

Related References

• Configure claims sharing
• Org2Org OIDC
• How to Migrate to Okta Managed Certificate