SSO with MFA  – for SaaS Services

Q1: If a SaaS service supports SSO, does that automatically mean it supports MFA?

Answer: No, it does not automatically mean MFA is supported or enforced.

While Single Sign-On (SSO) enables centralized authentication through an Identity Provider (IdP), Multi-Factor Authentication (MFA) must be explicitly configured—usually at the IdP level. The SaaS application may support SSO but have no direct control or visibility into whether MFA was used during the authentication process.

Here’s why:

  • SSO: Delegates authentication to the IdP (e.g., Azure AD, Okta).
  • MFA: Must be configured and enforced at the IdP level. The SaaS app relies on the IdP to verify that MFA occurred.

Examples of What Could Go Wrong:

  • If the IdP is not enforcing MFA, the SaaS app will still accept the SSO token—no MFA required.
  • If the SaaS app allows fallback logins (e.g., local credentials), MFA must be configured separately for those.

Best Practice:

Enforce MFA at the IdP and configure the SaaS application to only allow login via SSO where possible.

Q2: How does MFA work in an IdP-Initiated SSO flow?

Flow Overview:

User → IdP → MFA Prompt → SSO Token → SaaS App → Authenticated Session

Step-by-Step:

  1. User navigates to the IdP portal (e.g., Okta, Azure AD) and selects the SaaS app.
  2. User enters their credentials (username/password) at the IdP login screen.
  3. If MFA is enabled, the IdP challenges the user (via app, SMS, FIDO2 key, etc.).
  4. Upon successful MFA, the IdP issues a signed token (SAML or OIDC).
  5. The token is posted to the SaaS application (Service Provider).
  6. The SaaS app validates the token and grants access.

Important Note:

The SaaS application never sees the MFA step. It trusts the IdP and acts only on the received token.

Q3: How does MFA work in an SP-Initiated SSO flow?

Flow Overview:

User → SaaS App → Redirect to IdP → MFA Prompt → SSO Token → SaaS App → Authenticated Session

Step-by-Step:

  1. User starts at the SaaS application login page (e.g., Salesforce).
  2. The SaaS app redirects the user to the IdP’s SSO endpoint with an authentication request.
  3. The user enters their credentials at the IdP.
  4. The IdP enforces MFA if configured, challenging the user appropriately.
  5. Once authentication + MFA is complete, the IdP issues a signed token.
  6. The user is redirected back to the SaaS app with the token.
  7. The SaaS app validates the token and grants access.

Conclusion:

Just like in IdP-initiated flows, MFA is fully decoupled from the SaaS app. The app relies on the IdP for enforcing MFA.

Q4: Summary – Where Should MFA Be Enforced?

MFA should always be enforced at the IdP, not the SaaS application. Whether the flow is IdP-initiated or SP-initiated, the SaaS app only receives a token after authentication and cannot verify if MFA occurred unless the IdP enforces it.

Best Practices:

  • Enforce MFA at the Identity Provider using conditional access policies.
  • Disable non-SSO login paths in the SaaS app to prevent bypassing the IdP.
  • Use short-lived, signed tokens with proper audience and issuer validation.
  • Audit login flows in both the IdP and SaaS platform to confirm MFA was applied.