Support for application-level MFA sign on policies


I am referring to this:

As we would like to honor MFA for any application that requires it over the API. In our case, users are not directly bound to MFA but we would like to require MFA depending on the target application (such as a production AWS account as opposed to non production).

We are currently leveraging a simple module: which understands user based MFA.

Are there any similar use cases out there that have been solved? I hope it’s not “screen scraping” Okta UI.


We recently added support for integrating per-app MFA step-up with the Okta Sign-In Widget and Auth.js SDK with a new feature “APP_SSO_STEPUP_VIA_AUTHN_API” that needs to be enabled for your Okta org. This feature will redirect a stateToken to the the configured application-level login page that can be used with the Authentication API.

We haven’t integrated this work yet with AWS Assume Role CLI. This is something we plan to investigate later this year.


Are there any updates on this to be supported in AWS CLI Tool?


Does ‘APP_SSO_STEPUP_VIA_AUTHN_API’ FF work with OIDC apps ? I have an OIDC application that has an app level sign on policy requiring MFA. I’m using Okta Auth JS SDK.

var authClient = new OktaAuth({
url: ‘’,
clientId: ‘0oag9uhyq6uI7Nef60h7’, // This OIDC app has an app level sign on policy for MFA
redirectUri: ‘http://localhost/xxx

username: document.getElementById(“username”).value,
password: document.getElementById(“password”).value

When I sign in, on successful authentication, I"m getting the session token. Instead of that,can it return a stateToken so that I can complete the app level MFA. Is this possible ?