Error: access_denied – ‘login_hint’ did not match a user assigned to the client app
This error message already pushes you in the direction, it means the username format may be wrong. You can check in the logs and decode the JWT to be able to see the login hint. In my case the SAM Account name was sent, but Okta was configured for Okta username:
So just edit this setting, change it accordingly and be sure to click “Update Now” afterwards – or unassign and reassign all users to the app.
You can also check the current username used for a specific user by clicking the pencil icon:
After these changes ADFS MFA should work.