Looking for a working SCP planted on an Organization Root which enforces MFA for all, but it has problems currently as it does not see STS calls ( SSO ) so for these users even have MFA assuming Organization Administrator roles get denied as MFA not seen by SSO users. of course I used BoolIfExists: mfaAuthenticationPresent: false value but this blocks everyone coming via SSO.
Tried viaService set to False in Deny policy, added STS:AssumeRoleWithSAML as exception as NotAction.