Get Password Expired: 400 Status when Providing Valid Authentication via External IDP
Jan 9, 2025
Single Sign-On
Okta Classic Engine
Overview
When a user is in a Password Expired state in Okta, and the user authenticates via External IdP into Okta, the user receives an error:
400 PASSWORD_EXPIRED
PIV authentication for the same user works without issues.
Applies To
- External Identity Provider (IdP)
Cause
Solution
If users do not have a password, once they are migrated to the External IdP to authenticate into Okta, convert them into federated mode.
Once the users are converted to federated mode, they will not require a password in Okta if they can authenticate via external IdP.
Related References
- For information on converting users into federated mode, refer to Reset Password API in Okta Developer Docs.
- How to Convert an Okta User to the Federated Provider Type
