<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Error "SAML Assertion credentials cannot be used with MFA enabled"
Aug 25, 2025
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview

This article explains the following error that occurs when Multi-Factor Authentication (MFA) is enabled for an application that uses a Security Assertion Markup Language (SAML) assertion grant type:

{
  "error": "invalid_grant",
  "error_description": "SAML Assertion credentials cannot be used with MFA enabled."
}
Applies To

 

  • Multi-factor Authentication (MFA)
  • API Access Management
  • SAML 2.0 Assertion grant
Cause

According to the SAML 2.0 Assertion flow documentation, the SAML Assertion is sent to the /token endpoint. This endpoint does not support or handle MFA prompts.

Solution

For a SAML assertion grant type, any MFA requirements must be fulfilled during the initial SAML request flow.

 

Related References

Recommended content

Still looking for help?
Loading
Error "SAML Assertion credentials cannot be used with MFA enabled"