This article explains why Auth0 users may be forced to re-enter their email address when signing in to an Okta Workforce connection from the Okta portal directly.

• Okta Workforce
• OpenID Connect (OIDC)
• Identity Provider (IdP) - Initiated Login

Okta Workforce connections use the OpenID Connect (OIDC) protocol for Single Sign-On (SSO). When users sign in to an Okta Workforce connection by clicking the corresponding app tile in their Okta portal, they are forced to re-enter their email address, even though they already have an existing Okta session. This happens because this approach is equivalent to an Identity Provider (IdP) initiated login flow, which is not supported by the OIDC protocol, so the SSO session does not automatically propagate to the application.

To enable a seamless sign-in experience without re-entering credentials, use one of the following methods:

Configure a Custom SAML Connection 

Because the Security Assertion Markup Language (SAML) protocol natively supports IdP-initiated flows, replacing the OIDC connection with a custom SAML connection resolves the prompt. Follow the steps in the Configure Okta as SAML Identity Provider guide.

Use the Okta Bookmark App

If maintaining the OIDC connection is required, use the Okta Bookmark App to simulate an IdP-initiated flow. This acts as a relay to trigger an SP-initiated flow that preserves the user session.

1. Create a bookmark app.
2. Set the URL for the new Bookmark App to point to the Auth0 Universal Login page with the specific connection.
3. Replace <assignedConnectionName> with the name of the SSO connection: https://<domain>/login?connection=<assignedConnectionName>.
4. Simulate IdP-Initiated flow from the bookmark app.