Hi!
First, a small clarification about SSO - we support SAML2 and OIDC identity providers.
Once SSO is enabled, the authentication process is handled by a third party SSO solution (such as: PingFederate, OneLogin, Okta, VMWare identity manager, Google, etc).
MFA is part of the authentication process, which means that once you turn on SSO, MFA should be handled by the 3rd party.
Therefore, if you use a third-party SSO solution, and you want to enable MFA, you need to do so via your third-party SSO solution.