SAML IdP can only be used for specific portal-based flows in ISE. See the Admin Guide for more info.
If you need to use SAML for VPN + MFA, you would likely need to move to a different flow where the VPN headend (ASA/FTD) performs the Authentication directly against Okta using SAML and then hands off to ISE to perform Authorization only.
VPN headend <-> Okta SAML authC -> ISE AuthZ only
Example ASA + Okta SAML config:
https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Cisco-ASA-VPN.html
Example ASA RADIUS server config for ISE Authorization only:
aaa-server ISE_RAD protocol radius
authorize-only
interim-accounting-update
dynamic-authorization