This article explains that Okta sends the prompt=login parameter when using an Identity Provider (IdP) as an authentication factor. This behavior ensures that the IdP factor is satisfied during the current authentication attempt rather than relying on a previous session.

• Identity Provider (IdP) Authenticator
• OpenID Connect (OIDC)

Okta requires verification when an IdP is used as an authenticator. Because standard claims, such as the Authentication Methods Reference (AMR), do not include a timestamp, Okta cannot verify whether the IdP authenticator was satisfied during the current call or a previous session. To ensure the authenticator is active at the moment of request, Okta sends the prompt=login parameter to the IdP.

This is expected behavior designed to maintain security assurance. To understand how this impacts the authentication flow:

• Observe that Okta includes prompt=login in the authorization request sent to the external OIDC.
• Note that the external IdP must prompt the user for credentials or verification, even if an active session exists at that IdP.
• Ensure the external IdP is configured to handle the prompt=login parameter to satisfy the MFA requirement.

Related References

• Configure the IdP authenticator
• OpenID Connect Spec