SPNEGO and MFA - No potential flows left to choose from, canonicalization will fail

[Cantor, Scott]

It's hard to enable MFA and anything else unless they're completely distinct.

The actual error though is a lack of appropriate/workable subject c14n for the final output of the MFA flow, so it's failing that step and falling into the next available login flow (SPNEGO) and for whatever reason that bails out quickly for the final failure.

Simple c14n as a default behavior only succeeds when a single UsernamePrincipal is in the result. 0 or more than one will break it and require alternative configuration.

You shouldn't have SPNEGO enabled as a second login flow when you're really trying to use the MFA flow to orchestrate it, and that's causing more problems and spurious behavior at the end.

Anything deeper, you'd need to file a support ticket, I can't get into the depths on list.

-- Scott