
rnhyq (rnhyq) asked a question.
Using the Okta org2org app, I have the following scenario:
- Company 1 has its own Okta org (Okta 1), with MFA enabled for all users
- Company 2 has its own Okta org (Okta 2), with MFA enabled for all users
Okta 1 users need to log into Okta 2's portal to access some of their resources, so Okta 2 has Okta 1 configured as an IdP, with an appropriate routing rule. This all works, but Okta 1 users are prompted for MFA twice in the following way:
- Okta 1 user logins into Okta 2
- Okta 2 redirects to Okta 1 for authentication
- Okta 1 authentication successful, prompts for MFA
- Okta 1 MFA successful, redirects to Okta 2
- Okta 2 accepts Okta 1's inbound SAML assertion
- Okta 2 prompts for MFA
AFAIK, there's no way of telling Okta 1 "Hey, don't prompt for MFA if you're coming from Okta 2, because they'll handle it." Is that correct?

Do users have a differentiator for each okta org, i.e. unique email? if so, I would create a rule based group based on the email address and add that group to a MDF bypass. Does this make sense?