This article explains a potential cause of the error message with code 403, Error: The account undefined. This issue has been observed only in a Service Provider (SP) initiated flow.

"code": 403, "message": "Error: The account undefined does not have access to "specific organization name" with authorize ways: local"

• Custom SAML 2.0
• Palo Alto IoT Securities
• SP initiated flow

The underlying cause of Error: The account undefined seems to be a mismatch between the username format in the Okta application and the way accounts are defined in Palo Alto IoT Securities application. 

To resolve the Error: The account undefined issue: 
 

Modify the username format in the Okta application to be consistent with the format of the accounts as they appear in the Palo Alto IoT Securities application.

 

1. Go to Okta organization's Admin interface and look for the specific Palo Alto IoT Securities Custom SAML application
2. Click on the Sign On tab and select Edit.
3. Proceed to Credentials Details and Application username format
4. Select from the dropdown option the required Palo Alto format (If Palo Alto expects email as username, select email)
5. After making the above adjustments, verify by attempting to sign in. The accounts should now match up, and sign-in should be successful.

Related References

• Issue integrating Palo Alto IoT Securities 403: Missing entityID or ACS URL