Debug Okta 400 Bad Request GENERAL_NONSUCCESS Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0w4iak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Sunil DalalSunil Dalal 

Debug Okta 400 Bad Request GENERAL_NONSUCCESS

I wanted to check if there are additional ways on Okta admin dashboard or via Okta customer support to find out what exactly caused 400 error. In our case, exactly one user is failing sso and resulting in 400 bad request which points to bad data from our partner.
  • does okta logs posted saml request in case of 400 errrors?
  • If yes, how can we see it in okta admin dashboard or can we request it offline
Best Answer chosen by Niki (Okta, Inc.) 
James FloresJames Flores (Okta, Inc.)
Hi Sunil,

You can view the SAML assersion being sent when the user clicks a chiclet by using the SAML tracer too in Firefox. Chrome too has a SAML tracer web extention, you can find it in the Chrome Store by searching "SAML Message Decoder." Below are instructions on how to use the Firefox version:
  1. A SAML trace can be performed in Mozilla Fire Fox using the SAML tracer browser extension https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
  2. Install the browser extension, open it and then click the app in question chiclet from the Okta dashboard (In Firefox)
  3. After clicking the chiclet the SAML tracer will fill with data
  4. In the SAML tracer, click the entry highlighted with the word "SAML" on the right
  5. In the bottom portion of the SAML tracer you will see 3 sections (tabs), http, Parameters,  and SAML
This will help you see what data is being sent to the SP. If this does not help, submit a support ticket with the SAML trace and we can take a look on the back end and see what else could be causing the 400 error. In this case too, since the SP is returning the 400 error their logs should reflect the attemtped request that resulted in a 400 error and hopfully shed some light as to why the 400 was generated. 

All Answers

James FloresJames Flores (Okta, Inc.)
Hi Sunil,

You can view the SAML assersion being sent when the user clicks a chiclet by using the SAML tracer too in Firefox. Chrome too has a SAML tracer web extention, you can find it in the Chrome Store by searching "SAML Message Decoder." Below are instructions on how to use the Firefox version:
  1. A SAML trace can be performed in Mozilla Fire Fox using the SAML tracer browser extension https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
  2. Install the browser extension, open it and then click the app in question chiclet from the Okta dashboard (In Firefox)
  3. After clicking the chiclet the SAML tracer will fill with data
  4. In the SAML tracer, click the entry highlighted with the word "SAML" on the right
  5. In the bottom portion of the SAML tracer you will see 3 sections (tabs), http, Parameters,  and SAML
This will help you see what data is being sent to the SP. If this does not help, submit a support ticket with the SAML trace and we can take a look on the back end and see what else could be causing the 400 error. In this case too, since the SP is returning the 400 error their logs should reflect the attemtped request that resulted in a 400 error and hopfully shed some light as to why the 400 was generated. 
This was selected as the best answer
Sunil DalalSunil Dalal
Since our partner user was facing the issue, we could not have tried saml tracer. Typical flow is partner -> partner's 3rd party SSO system -> Okta hub.

What helped us was the system logs on admin dashboard. We saw "user creation failure" errors and able to pin point that it was partner's 3rd party sso system which was not sending us mandatory attributes like firstName, last Name for that user versus it was sending accuare data for everyone else.

Error was something like this

firstName field failed validation with value 'null': The field cannot be left blank.lastName field failed validation with value 'null': The field cannot be left blank
Catalysttenant twCatalysttenant tw
Hi James,

However it isn't possible to decrypt EncryptedAssertion with browser addons. Got anything to deal with this in okta?