How to Bypass Okta Sign-in Page in External IdP-initiated Login Flow

Questions OAuth/OIDC
1

Hello!

Our Okta is integrated with these external IdPs using SAML:

  1. Azure AD (Microsoft Entra ID)
  2. Okta (Org2Org)
  3. ADFS

Configuration:

  • Using Okta Hosted Sign-On Widget
  • Our Okta is integrated with custom OIDC App that the external IdP users access
  • IdP routing rules are set up to redirect users to authenticate with their external IdP based on their username format

How can users bypass Okta login page during IdP-initiated login flow to SSO to the OIDC app:
1- User Authenticated with their External IdPs.
2- User navigates directly to the OIDC application URL
3- User gets redirected to Okta to enter their username in Okta Login Page
4 - User enter their username (External IdP username) in Okta Login page
5 - User get logged in to the OIDC app.

Is there a way to bypass 3 & 4? (We’re aware that we can use the routing rules for IPs)

Please let us know if there are any methods to achieve this.

Edit: Has anyone done this via setting the idp={IdP ID} parameter in a login link that users may directly access?
Example: “https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa18hsHsG3boVejU0g4&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri=${redirectUri}&state={state}&nonce={nonce}”

2

I am not sure that I clearly understand what you are asking for. You are already looking at the idp parameter to the /authorize call: OpenID Connect & OAuth 2.0 API | Okta Developer. The application can bypass the login page and have Okta redirect the user to a specific IdP using that. That may answer your question.

But… you said prior to that the username format was being used to control the routing rules. If that is the case, you cannot bypass the login page because that is where the user puts in the name and the routing rules kick in.

So if you want Okta to make the decision use the login page. If the application has another way to make the decision before calling /authorize, then use ‘idp’. It could be based in IP address, a username given to the app, a button the user clicks, or perhaps giving different URLs to the same app to different people. But, somebody has to make the decision! :slight_smile:

3

Hello, thanks for replying to my post. For my scenario, I’m not sure we will take the approach of configuring it in the application but I did want to confirm that using ‘idp’ is a method to bypass Okta login page. Maybe understanding the reasoning on why Okta displays the login page can lead me to a solution. Thanks again.