This article clarifies that both OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) Identity Providers (IdPs) are not supported as Multi-Factor Authentication (MFA) factors within an embedded Sign-In Widget.
If a user attempts to use an IdP MFA factor in an embedded/self-hosted Sign-In Widget, the authentication flow will fail, and the user will be redirected to an error page.
Example:
Your request resulted in an error. The authorize request_uri is invalid.
System logs indicate the following failure:
eventType=app.oauth2.authorize, reason="invalid_request_uri", result=FAILURE.
- Identity Provider Authenticator
- SAML
- OIDC
- Embedded Sign-In Widget
The IdP Authenticator requires an OIDC or SAML redirection back to the Relying Party (RP) to complete the authentication challenge. This redirection logic is designed for Okta-hosted deployment models. In an embedded deployment, the backend generates a unique Uniform Resource Name (URN) for the redirection. While this flow is supported for Single Sign-On (SSO), it is not supported when the IdP is explicitly used as an MFA Authenticator within the embedded widget.
Both OIDC and SAML IdPs as authenticators are only supported with Okta-hosted logins.
To support this type of authenticator, consider using the redirect deployment model instead of the embedded one. See our docs for the pros and cons of each: Okta deployment models - redirect vs. embedded.
Related References
