414 error on sessioncookieredirect call

Hello Okta team,

I am reporting a bug that I observes - a 414 error on a simple SAML/SSO setup with SMS MFA enabled.

Steps to reproduce:

  1. bring up my web application
  2. redirect to Okta login page
  3. enter correct credentials which brings to SMS verification page.
  4. click on Send Code
  5. wait long enough (5+ minutes) , enter the received SMS code
  6. it brings to login page (step 2) with message “Your session has expired, please try to sign-in again”
  7. repeat 3 and 4
  8. enter the correct SMS code (without waiting)
  9. Got error page “414 Request-URI Too Large”

In step 9, SAML-tracker shows sessionCookieRedirect is a GET method (which is known that can’t handle large Request). I believe it should be using POST method. In a normal process in which after steps 1-4 , if I enter correct SMS code without waiting long, SAML-tracker shows the call of sessionCookieRedirect is a POST method and authentication get through (with POST saml/SSO back to my application).