<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7UvoSAFOkta Classic EngineOkta Integration NetworkAnswered2018-09-05T01:30:01.000Z2017-01-11T17:18:21.000Z2017-01-11T17:18:21.000Z

TomR.56546 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Problem with ForceAuthN double prompting for credentials

Hi,

 

Previously when sending a SAMLRequest to OKTA using this flag and set to true it would simply reprompt the user for credentials (once) and then return to our SAML SP.

 

Recently however it seems OKTA will now prompt the user twice for credentials, once to access OKTA, and then again to access the APP.

 

If you set the "Honor the ForceAuthN" option in the OKTA APP to false this behaviour goes away.

 

Our question is, is this by design (which is not great..)? or is this a bug?

 

Thanks,

 

Tom 

  • 2 answers
  • 4.06K views
DanN.79083 likes this.

  • kyle.andersen1.4689711248409836E12 (Okta, Inc.)

    Hi Tom,

     

    ForceAuthN is one of the configuration options available for a custom SAML app in Okta.You can see from our documentation(https://support.okta.com/help/articles/Knowledge_Article/Configuring-Okta-Template-SAML-20-application):  Force Authentication (Optional) - When selected, your users will be prompted for their credentials when a SAML request has the ForceAuthn attribute set to true, even if they are already logged in to Okta (They will need to enter their credentials even if they normally login through Desktop SSO). If this box is left unchecked the flag will be ignored. 

     

    I'm not aware of any changes regarding this, though the forced authentication is intended once. I see that you made a support case regarding it. I'll make sure we follow-up to determine if any changes were made, and if this is indeed flagged as a bug through that investigation, we'll be happy to work towards a solution on it. 

     

    Thank You,

    Kyle Andersen

    Okta Global Customer Care
    Expand Post

  • TomR.56546 (Customer)

    Hi Kyle, So forceAuthN is meant to be sent by the SP, which is us in this case. We are requesting the IDP to ignore any sessions and reauth the user. The user then returns to the SP with a fresh SAML token. However in the case of OKTA it seems it also uses this to force reauth in OKTA itself. The negative side of this is that our customers are now seeing their users having to enter their credentials (including OTP) twice. This does not make sense, forceauthn is meant to reauth the user, not completly ignore your own internal session management. I guess its how you view ForceAuthN, as somehting between us the SP and you the IDP, or within your own internal session management (which does not make much sense for us). Thanks, Tom
    Expand Post
This question is closed.
Loading
Problem with ForceAuthN double prompting for credentials