Password sync does not work between Org2Org and fails with an error:
Push new user to external application failure:
API validation failed: password (password: Password requirements were not met. Password requirements: at least 10 characters, a lowercase letter, an uppercase letter, a number, a symbol, no parts of your username. At least 1 day(s) must have elapsed since you last changed your password.)
or
FAILURE: Api validation failed: password (password: Password).
With the corresponding task:
or
Automatic provisioning of user Test Test to app Okta Org2Org failed: Error while creating user test.test@okta.com: HTTP error 400 (Older version of the same error).
- Password Sync
- API Services
- SCIM
After checking the password policies and confirming password requirements do match, the cause for the error would be SCIM and JIT provisioning was enabled for the ORG2ORG, and the user's credentials were set to FEDERATION (by doing a user GET for the specific user ID) type so password sync would not occur because a federated user has no password that can be updated.
Another reason for encountering the error message is the mismatch of password policies between the Hub Okta tenant(target—SP) and the Spoke Okta tenant ( source -IdP).
In order for the sync to work, the user does not have to be mastered by the SAML IDP, so removing JIT from the IDP is advised. The password sync cannot occur on users that are mastered by the IDP and have their credentials sourced by it.
In order to fix the affected users there are two ways to go about it:
-
Have the user re-provisioned via SCIM:
-
Remove the user from the application in the spoke.
-
Delete the user from the HUB.
-
Re-add the user to the ORG2ORG application in the Spoke and let it re-provision.
-
-
Disconnect the user from the IDP:
-
Disconnect the user from the IDP on the HUB.
-
Deactivate de-provisioning from the Provisioning > To App page.
-
Un-assign the user from the ORG2ORG app.
-
Re-assign the user to the ORG2ORG app and let it provision.
-
