<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D54z00007ZyurICAROkta Classic EngineAuthenticationAnswered2024-02-21T04:00:47.000Z2022-04-16T00:17:11.000Z2022-04-19T16:29:00.000Z

KetanS.89652 (Customer) asked a question.

Org2Org - MFA Security Loophole?

Please refer to this question, https://support.okta.com/help/s/question/0D51Y00009mSKhiSAG/disable-mfa-on-okta-org-1-when-authenticating-from-okta-org-2?language=en_US

 

In case of Org2Org, MFA happens twice on both Okta side (IDP and SP). To suppress MFA on one of Okta org, there is only one way - Write MFA policy based of the group to don't prompt MFA.

 

Issue? Okta has two login pages. One at <company>.okta.com and another <company>.okta.com/signin/.

The look of these 2 pages are same but /signin/ page does not route users through IDP flow. Meaning, Users can directly login to SP Okta org (and It won't redirect users to IDP Okta org). And guess what, MFA was suppressed so it leaves users on one factor (password only)

 

Has anyone tested or faced this?

 

If you do "View Source" on both Okta login pages, you will see the difference.

/signin/ page does not have the following piece of code (that <company>.okta.com page has)

 

idpDiscovery = true;

if (stateTokenAllFlows && stateToken) {

idpDiscoveryRequestContext = stateToken;

} else {

idpDiscoveryRequestContext = fromUri; }


  • Hi and Thank you for reaching out to the Okta Community!

     

    While I understand your use-case and the desire to improve the end-user's experience (i.e. no double MFA prompts) , in the case of an ORG2ORG implementation we're dealing with two distinct tenants, each with their own security policies. 

    So in essence, the end-user's comfort will have to be sacrificed for the sake of security. 

     

    As for the "/signin/" endpoint, that is there to allow an alternative login in case of DSSO or IDP routing failures (misconfiguration/outages). 

     

     

    Hope this helps!

    Expand Post
  • Ketan Solanki (Customer)

    Thanks Mihai. So let me understand in terms of our use case.

    We have business Partner who uses Okta too. We want our partners to manage their user's authentication. That's why we chose Org2Org so that we don't manage their password and MFA on our side.

     

    But you are saying that Org2Org is meant to prompt twice. IDP and SP both would have to manage MFA? In that case, why would someone use Org2Org and not provision partners users directly in Org (at least they will manage MFA only once).

     

    If authentication is delegated to third party, why would Okta trigger its own authentication policy checks?

     

    Thanks

    Ketan

     

    Expand Post
This question is closed.
Loading
Org2Org - MFA Security Loophole?