The Okta Sign-In Widget displays a generic Unable to sign in error message as a security feature to prevent attackers from distinguishing between valid and non-existent users or between failed password attempts and locked-out accounts. Common causes include an incorrect password, a locked account, an unassigned application, or an active policy restriction. End users can resolve many sign-in failures by clearing their browser cache or resetting their passwords, while IT admins can identify the specific cause by reviewing the Okta System Log.

The following error displays when a user attempts to sign in to Okta:

Unable to sign in

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Sign-In Widget
• Login failures

The Okta Sign-In Widget intentionally displays a generic error message as a security measure. This behavior prevents attackers from determining whether a sign-in failure is due to a specific condition. The following are the most common causes of this error:

• Incorrect password: The user enters an invalid password for the account.
• Locked account: Okta locks the account after repeated failed sign-in attempts.
• Application not assigned: The user attempts to access an application that Okta has not assigned to their account.
• Policy restriction: An active Okta Global Session Policy (Okta Sign-on Policy for Okta Classic tenants) or Authentication Policy blocks the sign-in attempt based on configured rules.

How is the Unable to Sign In error resolved?

The appropriate resolution depends on the role of the person encountering the error. The following sections outline steps for end-users and IT admins.

For End-Users

End-users can resolve many common sign-in failures by clearing their browser cache or initiating a self-service account unlock or password reset. Follow the steps below to attempt self-service resolution.

1. Clear the browser cache and cookies, then attempt to sign in again.
2. Navigate to the Okta sign-in page and select Unlock account? or Forgot password? to unlock the account or initiate a password reset.
3. Follow the on-screen prompts to either unlock the account or reset the password, then sign in again.
4. If the issue persists after completing the steps above, contact the organization's IT administrator for further assistance.

For IT Admins

IT admins can use the Okta System Log to identify the specific cause of a failed sign-in attempt. The following steps describe how to locate and interpret the relevant log events.

1. Sign in to the Okta Admin Console.
2. Go to Reports, then choose System Log.
3. Enter a search filter to locate the relevant sign-in event. The following are examples of useful filters:
   • eventType eq "user.session.start" — returns all sign-in attempt events.
   • outcome.result eq "FAILURE" — filters results to show only failed attempts.
   • actor.alternateId eq "<user@domain.com>" — filters results by a specific user.
4. Select the relevant event to expand the event details.
5. Review the Reason field in the event details to identify the specific cause of the failure. 
6. Take the appropriate corrective action based on the identified cause:
   • To unlock the account, go to Directory, choose People, select the affected user, and select Unlock.
   • To assign an application, go to Applications, choose Applications, select the relevant application, navigate to the Assignments tab, and assign the user.
   • To review policy configurations, go to Security, then choose Authentication Policies and review the rules applied to the relevant application.

Related References

• Okta Login Page Shows Up Even if the Domain is Incorrect or Does Not Exist
• System Logs
• Useful System Log Queries