<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Users are Unable to Login Using Imported Hashed Password
Jun 11, 2025
Lifecycle Management
Okta Classic Engine
Overview

Users that are created using Imported Hashed Password can not login for the first time to the Okta tenant.

Applies To
  • Create User with Imported Hashed Password
  • Okta Classic Engine
Cause
The values provided when creating the user are incorrect and Okta can not evaluate the details in order to successfully authenticate the user.
Solution
  1. Check that the algorithm that was used to encrypt the password is supported by Okta by checking the available supported algorithms Users API Documentation.

  2. If the algorithm is supported, check that the algorithm used to generate the password hash returns the raw binary data and not the encoded version. This is an important step as Okta requires raw binary data of the hash used for the password.

  3. In the payload sent to Okta, check that both password hash and salt are Base 64 encoded and not in plain text.


Example:
In the following example, Okta will use SHA-512 as the algorithm in order to create the user with an imported hashed password.


The initial values that will be used are the following:

  • Password: s3cr3tp@ssw0rd

  • Salt: &*GAH*AO*AL)AF#P(AHG#A

  • Salt order: postfix

The first step is to concatenate the password and salt, having the salt at the end, as the salt order is set to postfix. The resulting string will be:

s3cr3tp@ssw0rd&*GAH*AO*AL)AF#P(AHG#A

This string will need to be encrypted in SHA-512, and the raw output will need to be encoded in Base 64. The result of this operation will be:

Zz6KwLGDm7ospSipwpDmxAjBWHKPLgGh1roGzI267h6txr/ihTI/R4K2eYrpyc0R24qCSF6DRqNl110vZZtj4A==

The only step left is to encode the salt in Base 64, having the following result:

JipHQUgqQU8qQUwpQUYjUChBSEcjQQ==

With these values, we can create the payload that will be sent to Okta. Here is a cURL example for this request:

curl -X POST \ 'https://yourOktaOrg.okta.com/api/v1/users?activate=true'; \ -H 'Accept: application/json' \ -H 'Authorization: SSWS API_TOKEN_HERE' \ -H 'Content-Type: application/json' \ -d '{ "profile": { "firstName": "John", "lastName": "Doe", "email": "john.doe@example.com", "login": "john.doe@example.com" }, "credentials": { "password": { "hash": { "algorithm": "SHA-512", "saltOrder": "POSTFIX", "salt": "JipHQUgqQU8qQUwpQUYjUChBSEcjQQ==", "value": "Zz6KwLGDm7ospSipwpDmxAjBWHKPLgGh1roGzI267h6txr/ihTI/R4K2eYrpyc0R24qCSF6DRqNl110vZZtj4A==" } } }}'

Recommended content

Still looking for help?
Loading
Users are Unable to Login Using Imported Hashed Password