The Okta Administrator has set up an Org2Org application integration between two Okta org instances, with Provisioning and Okta Password Sync enabled, following Okta's Org2Org Integration documentation. After the Okta admin assigns the Org2Org application to target Okta individuals/Okta groups, it was then noticed that one or more Org2Org app assignments with initial states set to active_with_pass or pending_with_pass had failed with the following Org2Org provisioning error:

Error while creating user <username>: Api validation failed: password (password: Password requirements were not met. Password requirements: at least 12 characters, a lowercase letter, an uppercase letter, a number, a symbol, and no parts of your username. At least 1 day(s) must have elapsed since you last changed your password.)

NOTE: The highlighted password requirements in the Org2Org provisioning task error message may vary, as they are based solely on the Hub org's password policy as detected in the Org2Org application integration.

• Org2Org
• Provisioning with Okta password sync enabled
• Org2Org app assignment with initial status set to active_with_pass or pending_with_pass
• Spoke org's and Hub org's password policy/password complexity requirement does not match
• Okta Identity Engine (OIE)
• Okta Classic Engine

This is expected as OKTA uses the Spoke org's default password policy/password complexity (if the Sync Password option is not selected), if it does not match the Hub org's password policy/password complexity requirements it will fire off the error, because it will first generate a temporary password in the Hub org for new Okta user creation purposes, entirely based on the minimum password policy complexity requirement found in the Spoke org.

Then, after the Org2Org app assignment is completed and followed by the assigned user's next Okta login into Spoke org, it will then trigger an overwrite of the temporary password with the actual Okta user password found in the Spoke-sourced user over to the Hub org user account. 

This is a by-product design.

• Setting the Initial status user attribute is required when assigning an Okta user to the Org2Org app. This attribute determines the user's status in the target org when they are created, linked, or reactivated.
• If the initial status is set to Active with a password or Pending with a password, Okta will generate a temporary password for the user. If Okta Password Sync is enabled, this temporary password will be overwritten when the user signs in.

To resolve this issue, follow the steps mentioned below:

1. Have the Okta Super Administrator in both the Spoke/Source org and the Hub/Destination org to double-check and verify whether the impacted app user was subject to the Spoke org's default password policy/password complexity requirements. Match with Hub org's Password Policy/password complexity requirements.
2. If it does not match 100%, please apply the necessary changes to the Spoke org's password policy/password requirements to align with the Hub org's password policy/password complexity requirements, and retry the failed Org2Org provisioning task from the Spoke org.

Related References

• Integrate Okta Org2Org with Okta
• Configure a password policy
• Assign applications to user