Okta Identity Provider Users Fail to Log In Due to Account Management Policy DENY
Last Updated:
Overview
Identity Provider (IdP) users experience login failures when the IdP configuration is set to trust claims, but the IdP does not pass any amr claims. To resolve this, either configure the IdP to pass the amr claim with a value of "pwd" or clear the trust claims setting in Okta.
Users attempting to log in via the IdP encounter the following error message:
Unable to sign in. Contact Support for assistance
The System Log displays the following event:
Evaluation of Okta Account Management Policy DENY
Applies To
- Okta Identity Engine (OIE)
Cause
The IdP configuration in Okta has the Trust claims from this identity provider setting enabled, but the IdP does not pass any amr claims. When this setting is enabled, Okta only trusts the IdP as a password factor if the amr claim is passed with a value of "pwd".
Solution
Modify the Identity Provider configuration in Okta or configure the external Identity Provider to pass the required claim to resolve the login failure.
- Configure the external IDP to pass the amr claim.
- Alternatively, clear the Trust claims from this identity provider setting in the Okta IdP configuration. When this setting is cleared, Okta treats the IdP as a password factor by default.
