# OpenStack CLI Not Working With Okta MFA

## Problem

OpenStack CLI tends to not work with Okta Multi-Factor Authentication. The following error message is observed while running any OpenStack command with\*\*`--debug`\*\* option.

{% tabs %}
{% tab title="None" %}

```none
starting new HTTPS connection (1): *******.okta.comhttps://*******.okta.com:443 "POST /api/v1/authn HTTP/1.1" 200 NoneUser "username" password validates, checking second factorStarting new HTTPS connection (1): *******.okta.comhttps://*******.okta.com:443 "POST /api/v1/authn/factors/ost1hlvxdmcNbMSaD0h8/verify HTTP/1.1" 200 NoneUnable to obtain SAML assertion. Authentication failed or server error.
```

{% endtab %}
{% endtabs %}

## Environment

* Platform9 Managed OpenStack - All Versions
* Okta, Google G Suite, One Login, Microsoft ADFS

## Cause

Identity provider plugins do not support Multi-Factor Authentication for the command-line interface.

## Resolution

We have two workarounds for this issue.

* Disable the MFA for the user in Okta or the identity provider plugin mentioned above.
* Instead of using SSO user-id, you can create a local user-id that can be used for accessing OpenStack through CLI.