<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base

Fixing "User Creation Was Disabled" for OIDC IdP Logins in Okta

Last Updated:

API Access Management
Okta Classic Engine
Okta Identity Engine

Overview

When a user attempts to log in with an Identity Provider (IdP), they may encounter the following error:

 

OAuthError: User Creation Was Disabled

 

This happens when a user authenticates successfully, but no existing account is found for linking, and Just-in-Time (JIT) provisioning is disabled in either the IdP configuration or at the Okta tenant level.

Applies To

  • OpenID Connect (OIDC)
  • Identity Provider (IdP)
  • Just-in-Time (JIT) Provisioning
  • Okta Classic Engine
  • Okta Identity Engine (OIE)

Cause

This error is caused by a specific setting in the OIDC IdP configuration: Just-in-Time (JIT) Provisioning is disabled.

Provisioning

 

This means that even when a user authenticates correctly with the IdP, the login fails at the final step because an existing account cannot be found for the new user (resulting in an account linking failure).

This error message is presented in two primary ways:

  • On a custom application error page: OAuthError: User creation was disabled.
    On a custom application error page 

  • On an Okta-hosted page, such as the Okta Dashboard: User creation was disabled.
    On an Okta-hosted page 

 

Solution

There are two ways to fix this error:

  1. Enable JIT Provisioning. The simplest solution is to turn on Just-in-Time (JIT) provisioning in the OIDC IdP settings. This allows the application to automatically create accounts for new users upon their first successful login, resolving the error immediately.

           If JIT Provisioning is enabled on the OIDC IDP settings, also verify that it's enabled at the Okta Org level by going to Customizations > Other > Enable Just In Time Provisioning in the Okta Admin Console.

Enable Just In Time Provisioning

  1. Custom Error Handling for Apps.

 

For custom applications where JIT must remain disabled, please handle the error in the code. Configure the application to:

  1. Capture the error when the user returns from the Identity Provider's callback URL, which will be in the format: http://localhost:8080/login/callback?state=xxxxxxx&error=access_denied&error_description=User+creation+was+disabled.
  2. Redirect the user programmatically to a user-friendly page, such as the Okta sign-in page with an explanatory message, instead of showing the default error.

Related References

Recommended content

Still looking for help?
Loading
Okta Support - Fixing "User Creation Was Disabled" for OIDC IdP Logins in Okta