I definitely agree with you that better warnings and more graceful session timeout behavior would be a huge improvement. It's hard with the current auth standards where the IdP is only in the loop during the initial auth; it'd be on each app to gracefully notify and handle soon-to-expire sessions. That's pretty unreasonable across the large swath of SaaS apps and vendors (given how may have pretty buggy/difficult to integrate SAML implementations). When you throw a CASB or proxy like Cloudflare Access in front of everything then you're fully in the loop, but that's a bit much for a lot of use cases.
>Then let's talk about Okta in particular requiring three separate pages and clicks for user, pass, otp
That's on your IDAM / Security team and how they've configured Okta/mandated requirements. Okta has fully passwordless, phish resistant, automatic flows with Verify on Mac/Win.
>Then let's talk about Okta in particular requiring three separate pages and clicks for user, pass, otp That's on your IDAM / Security team and how they've configured Okta/mandated requirements. Okta has fully passwordless, phish resistant, automatic flows with Verify on Mac/Win.