<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
403 Error when Signing In from an IdP into Okta with "Enforce device matching for creating sessions" Enabled
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

Users encounter the error message below when signing in from an Identity Provider (IdP) to Okta and the "Enforce device matching for creating sessions" Okta feature is enabled:

 

403 Access Forbidden

 

Error Message

This article explains the possible solutions for this scenario.

 

Applies To
  • Single Sign-On (SSO)
  • Identity Provider (IdP)
  • Enforce device matching for creating sessions
Cause
  • "Enforce device matching for creating sessions" is set to Enabled for all IdPs.
  • The device identifiers provided in the requests do not match (IP, RawUserAgent, etc.).

The "Enforce device matching for creating sessions" Okta feature enforces security. It compares the device identifiers provided in the requests. If they do not match, Okta denies access to the app and does not create an Identity Provider session. This behavior will be displayed as a 403 error to the end users.

Solution

Option 1

Find the root cause of the device identifier mismatch. Any change in the user's IP from the initial request until the user lands on the Okta tenant. Any change in the device information (different browser, different OS). 

 

Option 2 

Disable the "Enforce device matching for creating sessions" feature by navigating to Security General > Organization Security > Enforce device matching for creating sessions.

  • NOTE: Disabling the feature reduces security for IdP authentications. However, in some scenarios, that is the only solution, since some systems require passing the IdP login request to another entity before being processed, and the feature would not allow that process.
Loading
403 Error when Signing In from an IdP into Okta with "Enforce device matching for creating sessions" Enabled