Okta MFA policy results in 401

[tristansirrico]

Hey all, looking for some advice/guidance on successfully requiring MFA (Okta Verify, either push or TOTP) on every saml2aws login.

I am able to use saml2aws to authenticate to Okta when our app authentication policy for AWS is set to just password.

However when the authentication policy is set to "any two factor", saml2aws throws an error after the user specifies their password.

Error authenticating to IdP.: error retrieving auth response: request for url: https://{org}.okta.com/api/v1/authn failed status: 401 Unauthorized

Is there a certain way to configure the authentication policy within Okta?

[SkiLov3]

You need to check your Global Sessions Policy. If it is asking for an MFA requirement you will get a 401. We ran into this issue as well.

[tristansirrico]

You need to check your Global Sessions Policy. If it is asking for an MFA requirement you will get a 401. We ran into this issue as well.

Thanks for the suggestion. Our Global Sessions Policy already were not enforcing MFA, so I'm not sure why AWS is still giving such trouble here.

[SkiLov3]

What I would do is go to Reports --> Access Testing Tool in the Admin console and test for a user experiencing the issues then hit list view and see all the policies they are hitting. The issue is in there somewhere.

[Desperion]

Just got the same issue today for our AWS users.
Here's what I see:

1. User can authenticate with 2 factors if it's requested by Global Session Policy
2. User cannot authenticate with 2 factors if the application policy in Okta requires step-up 2nd factor and global policy doesn't.

Had to reroute users to use Browser flow