Hello,
We implemented routing rules in Okta to direct users to specific resource servers based on their profiles. The routing works perfectly for the initial login flow:
- The user enters their username.
- Routing rules are applied.
- The user is routed to the appropriate resource server to authenticate by entering their password.
However, we encounter an issue when a user logs back into our Okta portal while they still have an active session (session_hint). Instead of following the routing rules, the user is immediately redirected to the Okta Dashboard. This is problematic since they do not have permissions for the Okta Dashboard.
Our goal is to enforce the routing rules consistently, even if a user has an active session.
Workaround Attempted
We devised a workaround involving custom URLs:
- URL1 (
url1.mycompany.com) is set as the default application for the Okta Sign-In Widget. - URL1’s application automatically redirects to URL2 (
url2.mycompany.com/signin/logout), which logs the user out.
This forces the flow to apply the routing rules. However, this solution is not ideal because:
- It logs out users regardless of whether they are actively logged in.
- It relies on custom logic, which feels fragile and not scalable.
Questions
- Is there a way to enforce routing rules directly in Okta, even when a user has an active session?
- Could I, maybe, customize the login page HTML to perform a signout only if the user has an active session and no client id in the context ?
Thank you for your guidance!