When a federated user authenticates via Microsoft Office 365, they are redirected to Okta. Due to a recent update, these users will be taken directly to the password entry page, bypassing the username page entirely. The username from the Microsoft session is automatically used for the Okta sign-in attempt.
- Microsoft Office 365
- Login Hint
- Service Provider (SP) Flow
This behavior was introduced in the Okta Identity Engine release 2025.05.1. The change was implemented to resolve an issue where attribute-based IdP routing rules were not functioning correctly and to correct an inconsistency in the WS-Fed flow.
Previously, the system required users to re-enter their username on the Okta login page to evaluate routing rules, ignoring the login_hint provided by Microsoft. The updated behavior now correctly and automatically processes the username from Microsoft. As a result, the user is advanced directly to the password page.
A feature is available to change this automatic behavior. To enable it, please contact Okta Support and reference this article.
When the feature is enabled, Okta will be configured to ignore the incoming login_hint from Microsoft. Consequently, users will no longer bypass the username entry screen. Instead, they will be presented with the standard Okta login page with a blank username field, allowing them to enter their credentials manually.
