I have a single okta app that we want both external and internal users to log in to. External users will use an external idp and internal will use okta. In the routing rule I have set a check on the domain and if it matches x then use external idp. The issue is that if a user is already logged in to the external idp and then clicks through to the app, assuming no existing login session, they will be asked for their username before the routing rule can decide which idp to use. As the external idp is OIDC is it possible to check the email claim in order to skip the first step?
Does the IdPs have routing rules conditions? With routing rules you can select which login attributes the user must match. Configure identity provider routing rules
1 Like
yes, I have tried both a domain condition and user attribute condition, both still require the user to input their username if they are logged in via the external idp already
There wouldn’t be a way within Okta to check the tokens for an external idp prior to handling the idp routing.
You could try to set this up outside of Okta. If there is an email claim on the idp token, when calling the /authorize endpoint, you could bypass the Okta login screen by including the idp ID in the idp URL parameter on the /authorize call. When the idp parameter is included, the browser is immediately taken to the external idp to handle login.