When an end user tries to log in to Okta via external IDP flow, the following errors can be seen:
General_NonSuccess
400 Bad Request
Admins will see successful authentication on the IDP logs but no event logs on the Okta Service Provider's end.
- IDP configuration via User Interface
- Outbound SAML
- Org2Org setup
- Single Sign-On (SSO)
These errors can occur due to a recent change in the default configuration for the Account Link Policy setting on the IdP configuration page. Previously, the default configuration for the Account Link Policy was set to Automatic. However, based on the security recommendation, the default behavior has been changed and is set to Disabled by default for new IDP configurations.
When the users are using the basic configuration from this documentation, the following error is encountered:
400 General_Nonsuccess.
Another cause could be the use of Pascal's case. As seen in this sample SAML trace, the cause of this issue is the attributes assertion from IDP. It is showing as being in Pascal Case instead of Camel Case. There is no option in Okta to prevent this or change it.
To edit the Account Link Policy setting on the IDP configuration page, please follow these steps:
- Go to the Okta Admin Dashboard.
- Click on Security.
- Select Identity Providers.
- Click on Actions.
- Select Configure Identity Provider.
- Change from Disabled to Automatic.
