<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D51Y00009mSKhiSAGOkta Classic EngineAdministrationAnswered2025-12-14T09:00:47.000Z2020-10-27T18:27:36.000Z2020-11-24T20:23:16.000Z

rnhyq (rnhyq) asked a question.

Disable MFA on Okta Org 1 when Authenticating from Okta Org 2

Using the Okta org2org app, I have the following scenario:

 

  • Company 1 has its own Okta org (Okta 1), with MFA enabled for all users
  • Company 2 has its own Okta org (Okta 2), with MFA enabled for all users

 

Okta 1 users need to log into Okta 2's portal to access some of their resources, so Okta 2 has Okta 1 configured as an IdP, with an appropriate routing rule. This all works, but Okta 1 users are prompted for MFA twice in the following way:

 

  • Okta 1 user logins into Okta 2
  • Okta 2 redirects to Okta 1 for authentication
  • Okta 1 authentication successful, prompts for MFA
  • Okta 1 MFA successful, redirects to Okta 2
  • Okta 2 accepts Okta 1's inbound SAML assertion
  • Okta 2 prompts for MFA

 

AFAIK, there's no way of telling Okta 1 "Hey, don't prompt for MFA if you're coming from Okta 2, because they'll handle it." Is that correct?


  • feok4 (feok4)

    Do users have a differentiator for each okta org, i.e. unique email? if so, I would create a rule based group based on the email address and add that group to a MDF bypass. Does this make sense?

    Selected as Best
  • feok4 (feok4)

    Do users have a differentiator for each okta org, i.e. unique email? if so, I would create a rule based group based on the email address and add that group to a MDF bypass. Does this make sense?

    Selected as Best
  • rnhyq (rnhyq)

    Makes total sense. And yes, it worked.

     

    For anyone else who stumbles into this thread, here's the detailed solution:

    • IMPORTANT: Okta 1 will own MFA responsibilities for its users, not Okta 2. This means you will disable the MFA requirement in Okta 2 for Okta 1 users, and delegate all MFA requirements to Okta 1
    • as an admin, go into Okta 2 admin page
    • create a group for Okta 1 users
      • Directory -> Groups -> All -> Add Group -> Name: Company 1
    • create a group rule for Okta 1 users that auto-adds them based on their email domain (e.g. @company1.com)
      • Directory -> Groups -> Rules -> Add Rule
        • Name: company1.com
        • If: use basic condition
        • User attribute : login | string : Contains : @company1.com
        • Then Assign to: Company 1
        • Save
    • Activate the new rule so that the Company 1 group is auto-populated
    • Change the sign-on requirements so that the Company 1 group is not prompted for MFA
      • Security -> Authentication -> Sign On
      • Add New Okta Sign-on Policy
        • Policy Name: Company 1 Policy
        • Policy Description: The policy for all Company 1 users.
        • Assign to Groups: Company 1
        • Create Policy and Add Rule
          • Rule Name: Do Not Enforce MFA
          • Prompt for Factor: no
          • Create Rule
    • Move the new policy above all others so it takes precedence first, before all other Okta 2 users

     

    Expand Post
This question is closed.
Loading
Disable MFA on Okta Org 1 when Authenticating from Okta Org 2