<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Org2Org Provisioning/Password Sync Did Not Push the Okta Password as Expected to Hub org Causing Okta Login Failure INVALID_CREDENTIAL
Feb 6, 2026
Okta Integration Network
Administration
Okta Classic Engine
Okta Identity Engine
Overview

Admins may set up the Sync Okta Password feature by going to their Org2Org > Provisioning > To App > Password Sync > Sync Okta Password.

Sync Password 


However, it may be noticed that when a user tries to log in to the Hub org with the Spoke org's Okta Password (which should be synced over from the Spoke org), the Hub org's Okta user account returns a login failure due to INVALID_CREDENTIALS.
 

Invalid Credentials

 

The end-user is seeing: 

 

Unable to sign in

 

Error Message

Applies To
  • Org2Org Provisioning
  • Password Sync - Sync Okta Password
  • Hub org's Okta user password login failure due to INVALID_CREDENTIALS
  • Federated/Identity Provider(IdP) Single Sign-on (SSO) user login (Optional)
  • Integrated Windows Authentication (IWA) / Active Directory Desktop Single Sign-on (ADSSO) Kerberos login (Optional)
Cause

This is working by product design of the Org2Org Provisioning Password Sync feature. The Okta user login failure/error message stated INVALID_CREDENTIALS, and the Okta user login has failed via password authentication as the end-user has entered incorrect Okta login credentials.

In this case, during the initial Org2Org application assignment, we only sync over randomly generated passwords based on the applied Okta password policy, and the actual Okta Password will not get synced over to the Hub org user-provisioned account until a manual Okta Password login is detected in Spoke org after the org2org app assignment is created, as documented below: 

  • If the initial status is set to Active with password or Pending with password, Okta will generate a temporary password for the user. If Okta Password Sync is enabled, this temporary password will be overwritten when the user signs in.

NOTE: The expected user login must be a manual Okta Password login. If the user logs into Spoke org via Federated SSO login or IWA/ADSSO Kerberos login, which does not utilize their Okta Password, it will also not trigger the second password sync, with the actual Okta Password being synced over to the corresponding Hub org linked provisioned user account.

Solution

Please ask the end user to log in to Spoke org with their Okta Password, bypassing any IDP routing rule (if any). Then, the Okta Admin can monitor the Spoke org's System log and make sure another Push Password Update has been triggered successfully for the Org2Org app in Spoke org  after the successful Okta Password login.

Then, have the end user attempt to log in to the Hub org using the Spoke org's synced Okta Password again. The user should log in successfully this time without failing to log in due to INVALID_CREDENTIALS.
 

Related References

Recommended content

Still looking for help?
Loading
Org2Org Provisioning/Password Sync Did Not Push the Okta Password as Expected to Hub org Causing Okta Login Failure INVALID_CREDENTIAL