Users encounter the error message below when signing in from an Identity Provider (IdP) to Okta and the "Enforce device matching for creating sessions" Okta feature is enabled:

403 Access Forbidden

This article explains the possible solutions for this scenario.

• Single Sign-On (SSO)
• Identity Provider (IdP)
• Enforce device matching for creating sessions

• "Enforce device matching for creating sessions" is set to Enabled for all IdPs.
• The device identifiers provided in the requests do not match (IP, RawUserAgent, etc.).

The "Enforce device matching for creating sessions" Okta feature enforces security. It compares the device identifiers provided in the requests. If they do not match, Okta denies access to the app and does not create an Identity Provider session. This behavior will be displayed as a 403 error to the end users.

Option 1

Find the root cause of the device identifier mismatch. Any change in the user's IP from the initial request until the user lands on the Okta tenant. Any change in the device information (different browser, different OS). 

Option 2 

Disable the "Enforce device matching for creating sessions" feature by navigating to Security > General > Organization Security > Enforce device matching for creating sessions.

• NOTE: Disabling the feature reduces security for IdP authentications. However, in some scenarios, that is the only solution, since some systems require passing the IdP login request to another entity before being processed, and the feature would not allow that process.