SilvanoS.83351 (Customer) asked a question.
We’re integrating Okta (OIE) with Veeva Vault eSignature using SP-initiated SAML. We have two app sign-in policies:
- Primary app: Password + MFA
- eSignature (secondary/hidden app): Password-only, re-auth every time
Global Session Policy requires MFA (standard workforce baseline). The org setting “Require possession factor before password during MFA” is disabled.
During eSignature, Veeva launches the IdP flow in a browser pop-up. Even when a valid Okta session exists in the main window, Okta often treats the pop-up as a new session and re-applies Global Session MFA before the app sign-in policy is evaluated.
Question:
Is this expected behavior due to Okta session cookies not being reliably reused in pop-ups? And is there any supported way (custom domain, redirect mode, etc.) to ensure session reuse so that the app sign-in password-only reauth can be honored?
Hi @SilvanoS.83351 (Customer) , Thank you for reaching out to the Okta Community!
Based on the information provided, this seems to be the expected behaviour.
You can check the Okta System Logs to confirm exactly what policy is hit during the pop-up login flow.
It's possible that this occurs as the user has authenticated through a Custom Domain (for example, login.company.com) and the pop-up is authenticating against a session from the Okta Default Domain (for example, company.okta.com).
We can provide general guidance and documentation, but in-depth troubleshooting is outside of the Okta Community forum scope.
If you have an account with us and are a SuperAdmin/Case Admin, please open a case to work with my colleagues from the Support Team to investigate this further. They'll be able to access additional tools and resources to help you get to the bottom of it.
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added