External Identity Provider Authentication Error "FAILURE: User Denied/Rejected"
Mar 6, 2026
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview
This article explains why authentication fails when using an external Identity Provider (IdP) with the following error:
FAILURE: User Denied/Rejected
Applies To
-
Security Assertion Markup Language (SAML) Identity Provider (IdP)
- Single Sign-On (SSO)
Cause
The error occurs because the external IdP configuration restricts access based on a specific username format. When the system attempts to authenticate a user, if the username does not satisfy the pattern requirements, the authentication request is rejected.
Solution
To resolve this issue, update the RegEx pattern to accommodate the user's username or disable the restriction.
- In the Okta Admin Console, navigate to Security > Identity Providers.
- Locate the affected external IdP and select Action > Configure Identity Provider.
- Scroll to the Only allow usernames that match defined RegEx Pattern setting.
- Perform one of the following actions:
- Clear the checkbox to remove the username restriction.
- Modify the field to allow the restricted username.
- Click on Update Identity Provider to save the configuration.
