
User1675715288202759510 (Customer) asked a question.
We have set up a SAML 2.0 based External Identity Provider in Okta. For these users, Okta will serve as the Service Provider while Azure AD will serve as the Identity Provider.
Here's the sequence of steps showing the experience of a user authenticating herself in this setup:
(1) User types in the URL to our application on a browser and hits Go.
(2) User gets redirected to Okta login page where she enters her Email Address
(3) Okta recognizes that the user needs to be sent to Azure AD for authentication, and so redirects her to AAD
(4) In order to authenticate the user, Azure AD now prompts the user to enter her Email Address (again)
The problem in this setup is that the user has to enter her email address twice - once for Okta and again for Azure AD.
Is there a way to ask for the user's email address only once? Does Okta have a way to pass along the email address (username) info while sending the SAML request to External IdP so that the users do not need to enter their email address twice?
Thank you.

Hi, @User1675715288202759510 (Customer)
Thank you for posting on our Community page!
I did some research and found this article that might be of help:
https://support.okta.com/help/s/question/0D54z00007hYOnICAW/does-okta-support-subject-attribute-in-saml-requests?language=en_US
Thank you for reaching out to our Community and have a great day!
_____________________________________________________________________________
Watch and Learn: New Okta how-to videos, plus what's new this month in the May newsletter.
_____________________________________________________________________________
Community members help others by clicking Like or Select as Best on responses. Try it today.
_____________________________________________________________________________
Hi Laura,
Thank you for the response.
So, is upgrading to Okta Identity Engine the only option to us?
We currently use Okta Classic Engine. Is there no way to avoid asking for the email address twice?
Thanks.
It's always been a pain, that. The only option is if all your users are Azure federated users you can setup that IdP as the default and then every request to authenticate will be sent there. Obviously if some users are Okta mastered then that causes some difficulty but it might solve your problem