Users are reporting that they are unable to access a specific application during the Service Provider (SP) initiated login flow. On the Okta page, an error will be visible:

403 App Not Assigned

Sorry, you cannot access <app name> because you are not assigned this app in Okta. If you're wondering why this is happening, please contact your administrator.

 

In the Okta System log, the following error will be visible:

User attempted unauthorized access to app failure:
 

The Actor is the impacted end user, and Targets is the Application instance name/id listed.

 

• SP-initiated App Sign On
• Applications configured with Okta SWA/SAML/WS-Federation SSO
• Okta Application Assignment by Okta Administrator
• Okta Integration Network (OIN)

The error is caused by either a missing or incomplete application assignment due to specific application assignment/provisioning errors for the impacted user on the Okta Admin Dashboard.

To confirm the root cause, please check the user list of assigned apps under the Okta User Profile > Applications > Applications tab.

Or check directly on the affected application in the Assignments tab to see if the user is listed with any errors:
 

1. Verify the issue's root cause by checking the Okta System Log and the impacted user's app assignment status.

2. Reassign the affected application to the user on the Okta side and make sure there is no application assignment error and/or provisioning task error if the application has provisioning enabled. For full details, please read the Okta documentation: Assign an app integration to a user.

3. Once the user has an active app assignment, have the end user try the application sign-on again.

Related References

• Assign an app integration to a user
• Assign applications to users
• System Log