<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Okta Password Prompt Displays for Non-Existent or Incorrect Usernames When User Enumeration Prevention Is Disabled

Okta Classic Engine
Okta Identity Engine
Administration

Overview

Even with the User Enumeration Prevention security feature disabled, the Okta sign-in page still displays a password prompt when an incorrect or non-existent username is entered, rather than immediately showing the Unable to sign in error. This behavior is caused by Just-In-Time (JIT) Provisioning being enabled in the tenant. Disabling JIT Provisioning resolves the issue and restores the expected error message behavior.

Applies To

  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Okta Sign-In Widget / Sign-In Page
  • User Enumeration Prevention
  • Just-In-Time (JIT) Provisioning

Cause

Just-In-Time (JIT) Provisioning is enabled in the tenant. When JIT Provisioning is enabled, Okta cannot immediately determine whether an unrecognized username is truly invalid or a valid user who exists in an external Identity Provider (IdP), such as Active Directory or Lightweight Directory Access Protocol (LDAP), but has not yet been provisioned in Okta. To support the latter scenario, Okta must collect a password and attempt to authenticate against the external IdP before determining whether the username is valid. This mimics the behavior of User Enumeration Prevention, always showing the password screen, even though that feature remains disabled.

Solution

How is the password prompt displaying for non-existent or incorrect usernames behavior resolved when User Enumeration Prevention is disabled?

Disable Just-In-Time Provisioning in the Okta Admin Console to restore the expected error message behavior for invalid usernames.

 

NOTE: Only disable JIT Provisioning if it is not required for the environment. If the organization relies on JIT to provision users from an external IdP on first login, disabling it globally prevents those users from being auto-created. In that case, consider whether the "proceed to password screen" behavior for unknown usernames is an acceptable trade-off, or evaluate per-application JIT settings instead of the global toggle.

 

  1. In the Okta Admin Console, go to Customizations > Other.
  2. Select Edit under Just In Time Provisioning.
  3. Clear the Enable Just In Time Provisioning checkbox to disable the global setting. Alternatively, if JIT is only needed for a specific use case, review and clear the JIT provisioning – Create and update users on login checkbox under the relevant Directory or Application Provisioning > To Okta settings instead.
  4. Select Save.
  5. Re-test the sign-in flow with an invalid or non-existent username. Okta should now immediately display Unable to sign in rather than proceeding to the password prompt.
    Unable to sign in 

 

Related References

Loading
Okta Support - Okta Password Prompt Displays for Non-Existent or Incorrect Usernames When User Enumeration Prevention Is Disabled