SAML Assertion Token Exchange Flow Receives "SAML Assertion credentials cannot be used with MFA enabled" Error
Mar 4, 2026
API Access Management
Okta Identity Engine
Overview
Receiving the following error when attempting a SAML Assertion Token Exchange Flow:
SAML Assertion credentials cannot be used with MFA enabled.
Applies To
- Okta Identify Engine (OIE)
- OpenID Connect (OIDC)
- Security Assertion Markup Language (SAML) Identity Provider (IdP)
- SAML Assertion Token Exchange
Cause
There are a few possible causes:
- The SAML IdP configuration is configured to Trust Claims from the SAML IdP, and the IdP is not sending the claim.
- The Application Sign-On Policy used by the OIDC Application for the Token Exchange requires a higher level of assurance than Password/IdP.
- Progressive Profiling is being triggered for a missing attribute required by the User Profile policy, the OIDC Application for the Token Exchange is assigned to.
Solution
- Edit the SAML IdP Configuration being used for the Token Exchange (Security > Identity Providers > select the used SAML IdP > Edit IdP).
Perform one of the following actions:
-
- Disable both of the following options under Authentication Settings:
- Trust claims from this identity provider
- Trust AMR claims from this identity provider
- Disable both of the following options under Authentication Settings:
-
- Verify that the IdP is sending the required
session.amrattribute statement, as documented in the Third-party SAML 2.0 IdP authentication claims sharing documentation.
- Verify that the IdP is sending the required
- Edit the Application Sign-On policy (Security > Authentication Policies > App Sign In > Edit). Verify the rule is set to Password/IdP only.
NOTE: The Global Session Policy Configuration does not apply; only the Application Sign-On policy needs to be set to Password/IdP.
- Ensure the OIDC application is assigned to a User Profile policy that does not allow progressive profiling.
