I created an integrator org https://integrator-3331129-admin.okta.com for our organization. We don’t like our developers to access integrator org directly. Therefore, I set it up in the following way:
An Identity Provider is created to route login requests to our IdP using SAML protocol
A routing rule that redirects users to our IdP.
Global session policy that disables MFA if our IdP is used
first 2 steps seems to be working fine. Users are redirected to our IdP where we perform action and determine whether to respond to respond to Okta with SAML assertion for that user.
However, once we send assertion to Okta, Okta seems to ask the user again for password and TOTP.
We would like to disallow this additional MFA prompt on Okta. I cannot seem to get it right. In the older version of Okta, it was possible to skip MFA bypass for certain users. But newer Identity Engine seems to have changed a few things.
Can someone from Okta let me know if what I’m trying is even possible?
In addition to Global session policy, I also tried configuring Authentication Policy. However, I don’t see any option here to use single factor or use the IdP I created.
You can try setting up the Authentication Policy to Any 1 Factor Type, and also make sure you set the Global Session Policy Rule’s attribute
”Establish the user session with” to “Any factor used to meet the Authentication Policy requirements”
Oh, if you are using the Admin App, you won’t be able to change that. Since the Admin App requires 2FA as part of security hardening. The change in Authentication Policy can only be done for other apps apart from the Okta Admin Console.
One option in this use case is to use AMR claims. If the IDP supports this, you could use that to skip the authentication on the Okta end completely - Configure claims sharing | Okta Developer
But I would advise caution when changing anything related to the Okta Admin console, since there is a possibility of account lockout.
