When an Independent Software Vendor (ISV) partner attempts to set up Single Sign-On (SSO) using Express Configuration during the Okta Integration Network (OIN) submission process, the following error is displayed after clicking Express Configure SSO:

Failed to Express Configure the application. Please retry or contact Okta support.

 
The network response returns an "oauth_error" with HTTP 403:

oauth_error

{
  "errorCode": "oauth_error",
  "errorSummary": "Failed to Express Configure the application. Please retry or contact Okta support.",
  "errorCauses": []
}

• Okta Integration Network (OIN)
• Okta Identity Engine (OIE)
• Express Configuration
• ISV Partners Configuring Express Configuration in the OIN Wizard

The Express Configuration flow requires specific prerequisites in the Auth0 dashboard before a connection between Auth0 and Okta can be established. The oauth_error occurs when one or more of the following configuration steps have not been completed:

• A role with the permissions express_configure:sso and express_configure:scim has not been created in Auth0 and assigned to the application user.
• Home Realm Discovery has not been enabled in Auth0.
• The application user has not been assigned to the Auth0 organization.

Without these steps in place, Okta cannot authenticate the Express Configuration request, resulting in a 403 error code.

Complete all of the following prerequisites in the Auth0 dashboard before clicking Express Configure SSO in Okta.

1. Create a role and assign Express Configuration permissions. Refer to Assign a new role to application users in the Auth0 documentation. 
   1. Log in to the Auth0 Dashboard.
   2. Navigate to User Management > Roles.
   3. Create a new role.

1. 4. Assign the following permissions to the role:
      • express_configure:sso
      • express_configure:scim

1. 5. Assign the role to the relevant application user.

2. Enable Home Realm Discovery.
   1. In the Auth0 Dashboard, navigate to the relevant application.
   2. Enable Home Realm Discovery for the application.

3. Assign the user to the Auth0 organization.
   1. In the Auth0 Dashboard, navigate to Organizations.
   2. Select the relevant organization.
   3. Assign the application user to the organization.

4. Verify the OIN integration setup is complete. Before retrying Express Configure SSO, confirm that Steps 2–4 of the Add Express Configuration to your OIN integration guide have been completed. This includes:
   1. Copying the OIN integration configuration from the Auth0 Dashboard.
   2. Paste it into the Express Configuration Information field in the Okta OIN Wizard.
   3. Downloading the public key (.pem file) from the Okta OIN Wizard.
   4. Uploading the .pem file to Auth0 and saving.
   5. Returning to the Okta OIN Wizard and clicking Finish.

5. Retry Express Configuration in Okta.
   1. Navigate to the OIN test app instance in the Okta Admin Console.
   2. Click Express Configure SSO.

The connection between Auth0 and Okta should now complete successfully.

Related References

• Auth0 Express Configuration Overview
• Add Express Configuration to your OIN integration
• Assign a new role to application users
• Enable Home Realm Discovery