Handle authentication responses
Every authentication transaction starts with primary authentication, which validates a user's password. Password Policy, MFA Policy, and Sign-On Policy are evaluated during primary authentication to determine if the user's password is expired, a factor should be enrolled, or additional verification is required. The transaction state (opens new window) of the response depends on the user's status, group memberships, and assigned policies.
Note: Custom sign-in works only with Org MFA. This means that, before you exchange the session token for an access token, you must make sure the application has disabled App-Level MFA (opens new window).