We’re experiencing a critical authentication issue in our incident management module after configuring Okta SSO with MFA. Users successfully authenticate through Okta’s MFA flow, but when they’re redirected back to Arena QMS, the session isn’t established and they’re stuck in a login loop.
The SAML assertion seems to complete, but the MFA claim validation appears to fail. Our redirect URIs are configured correctly in both Okta and Arena QMS. Session timeout settings in Arena are set to 30 minutes, matching our Okta policy.
SAML Response Status: Success
MFA Claim: missing or invalid
Redirect: /arena/incident/dashboard
Session State: NOT_ESTABLISHED
This is blocking our entire incident workflow. Has anyone encountered MFA claim validation issues with Okta integration in Arena QMS 2022.1?
Thanks for the suggestions. I checked our Okta attribute mappings and found that we’re missing the MFA status attribute entirely. Our configuration only includes standard SAML attributes like email and name. What specific attribute name should Arena QMS receive for MFA verification?
I’ve seen similar issues with SAML integrations. The MFA claim might not be mapped correctly in your Okta application settings. Check if you have the custom SAML attribute for MFA status configured - it needs to match what Arena QMS expects in the assertion.
I’ll provide a comprehensive solution addressing all the key configuration points:
1. SAML Assertion MFA Claim Validation
Arena QMS requires a specific SAML attribute for MFA verification. In your Okta application settings, add a custom attribute statement:
- Attribute Name: `mfa_verified
- Value: `user.mfaFactorVerified
- Format: Unspecified
This ensures the MFA status is included in every SAML assertion.
2. Okta MFA Policy Configuration
Your Okta policy must be configured correctly:
Policy Type: Sign-On Policy
MFA Requirement: Required
Session Lifetime: 30 minutes
Include in SAML Assertion: Enabled
Critically, enable the “Include authentication context” option in your Okta SAML app settings. This adds the AuthnContext element that Arena QMS checks.
3. Session Timeout Synchronization
The session timeout mismatch causes redirect loops. In Arena QMS configuration (site.properties):
saml.session.timeout=1800
saml.token.lifetime=1800
saml.clock.skew=300
These values (in seconds) must align with your Okta session lifetime. The clock skew parameter (5 minutes) handles minor time differences between systems.
4. Redirect URI Validation
Verify your redirect URIs match exactly - including protocol, domain, and path:
Also check the RelayState parameter is properly configured to return users to /arena/incident/dashboard after authentication.
Testing Steps:
- Clear all browser cookies and sessions
- Use SAML Tracer to capture the full authentication flow
- Verify the SAML assertion contains `<saml:Attribute Name=“mfa_verified”>true</saml:Attribute>
- Check Arena QMS logs for SAML validation messages
After implementing these changes, restart your Arena QMS application server. The MFA claim should now validate correctly and establish proper sessions. We’ve deployed this configuration across 50+ users with zero authentication failures.
I recommend checking the SAML assertion XML directly to see what’s actually being passed. Use a SAML tracer browser extension during login to capture the full assertion. This will show you exactly which attributes Okta is sending and help you identify if the MFA claim is missing or just misnamed. We discovered our issue was that the attribute was present but Arena QMS was looking for a different namespace.
The attribute name varies by configuration, but typically it’s something like ‘mfa_verified’ or ‘authentication_context’. Check your Arena QMS SSO configuration file - there should be a parameter specifying which SAML attribute to check for MFA status. Also, make sure your Okta policy is set to ‘Always’ for MFA enforcement, not ‘Per Session’, otherwise the claim won’t consistently appear in the assertion.
Adding to Rachel’s point about namespaces - Arena QMS 2022.1 expects MFA claims in a specific format. We struggled with this for weeks before finding the solution.
We had this exact problem last quarter. The issue was that our Okta MFA policy was configured at the organization level, but Arena QMS needs the MFA claim explicitly included in the SAML assertion. You need to add a custom attribute statement in Okta that passes the MFA verification status. Also verify your session timeout synchronization - if Arena’s timeout is shorter than Okta’s token lifetime, you’ll get these redirect loops.