Re-authentication failure (connection refused)

I would like to open a new case:

The saml2 authentication on our site is working the first time it is referenced, resulting in an authenticated session.

However, when I use that same session to re-authenticate (using ForceAuthn=”true”), the sent url gets “ refused to connect.”

I cannot see why there is any difference in the messages, so why is it failing to re-authenticate?

I have some more information on this problem:
If the authenticate request is sent from a main page in the browser, it works fine, even with ForceAuthn=true and when the user has already authenticated.
HOWEVER, when the authenticate request to Okta is sent from a dependent popup page, the connection is refused. Apparently, Okta requires a full page to render its login.
Is there some workaround for this?