User1696268352990281188 (Customer) asked a question.
On initiating SP SSO from an App, our Okta Hub Org {Org-1} routes the SSO call to the associated Okta Spoke Org {Org-2} (together with the LoginHint-Username). As Org-2 is NOT the source of the User Account Org-2 routes the SSO request again, this time to Org-3 for authentication.
The User Experience is: Click "SSO" button on the App. Enter Username on Org-1 Login page and click "Next". On Org-2, verify Username and click next again. On Org-3, enter password plus MFA - and then finally get re-directed (and logged in) to the target App.
Being presented a Login screen by Org-2 is a poor User experience (confusing, slower login workflow, additional mouse click required).
Is it possible to configure the Org-2 "Okta Org2Org" App, or Authentication Policies, to recognize that the User is authenticated by yet another Okta spoke (as declared in the Org-2 Routing Rules) and perform the associated redirection to that spoke automatically rather than render the Org-2 login page? Thereby saving the User from having to click "Next" on the redundant Org-2 Login page?
Hello @User1696268352990281188 (Customer) Thank you for reacting out to our Community!
The flow described is expected behaviour. The only way to remove Org 2 from the equation, would be to configure Org 3 as and IDP in Org 1, this way your users will be directed to Org3 directly.
Community members help others by clicking Like or Select as Best on responses. Try it today.
Earn Today: New Okta Community Badges Have Arrived
Ask the experts about Okta Privileged Access