An Okta sign-in failure occurs when an Authentication Policy requires an authenticator that the user cannot access or enroll in based on the Authenticator Enrollment Policy. Review and adjust the Authentication Policies and Authenticator Enrollment Policies to ensure users can enroll in the required factors. When this issue occurs, a user experiences a sign-in failure, and Okta logs the following event in the System Log.
Access has been denied because the policy requirements could not be satisfied by the users’ current set of available authenticator enrollments.
Review the System Log to identify the specific policy requirement error message.
- Okta Identity Engine (OIE)
- Multifactor Authentication (MFA)
- Authenticator Enrollment Policy
- Authentication Policy
This error occurs if an Authentication Policy requires an authenticator that a user is not enrolled in or cannot enroll in per the Authenticator Enrollment Policy. This happens when the authenticator does not meet other conditions of the Authentication Policy or Authenticator Enrollment Policy. Examples include authenticator constraints for Hardware Protection in the Authentication Policy or Network Zone configurations within the Authenticator Enrollment Policy, which prevent the user from connecting to the expected policy.
How is the access denied issue due to the policy requirements not being satisfied by the user's current available authenticator enrollments resolved in Okta?
Review the Authentication Policies and the Authenticator Enrollment Policy scoped to the user to ensure the user can enroll in the required factors, verifying the authenticator definitions and network zone configurations.
- Verify that the user is enrolled in and has access to the authenticator defined by the Authentication Policies.
- If the Authentication Policy requires only Okta Verify or WebAuthn to satisfy the authentication conditions, at least one of these authenticators must be available in the user's Authenticator Enrollment Policy for the user to enroll and satisfy the policy conditions.
- A conflict occurs when Authentication Policies define certain constraints, such as the Hardware Protection constraint. If the user's hardware does not support Hardware Protection, the user cannot use the enrolled authenticator for authentication, and Okta displays the error message. In this instance, the user must enroll in a supported authenticator. Review the possession factor constraints in the Add an authentication policy rule documentation for definitions.
- Ensure the user's Authenticator Enrollment Policy allows the user to enroll in and use the specified factor.
- Verify if Network Zones are configured in the Authenticator Enrollment Policies. Because Okta uses Authenticator Enrollment Policies during authentication evaluation and context, a change to the user's network can cause the user to fall under an unanticipated enrollment policy, removing the ability to use previously enrolled authenticators.
How do network zones affect authenticator enrollment policies?
Review the following scenario to understand how network zones impact policy assignment and authenticator availability.
- A user named
<TestUser1>belongs to<TestGroup1>. - The Authenticator Enrollment Policy for
<TestGroup1>is named<EP1>, which allows the enrollment of Okta Verify and SMS.<EP1>also dictates that the user must be within the network zone named<Office>. - The
<Office>network zone is defined as10.10.10.1/24. - When
<TestUser1>is in the<Office>network zone, the user receives an IP address of10.10.10.20.
In this scenario, <TestUser1> successfully enrolls in Okta Verify and SMS authenticators and uses them in all Authentication Policies that require them. If <TestUser1> does not connect from within the <Office> network zone, Okta does not assign the user to the <EP1> Authenticator Enrollment Policy. Consequently, the user loses access to use or enroll in Okta Verify or SMS, depending on the matched Authenticator Enrollment Policy or Authentication Policy. Okta usually falls back to the default enrollment policies for authenticator availability.
NOTE: The Access Testing Tool verifies whether Okta assigns the expected policies to the user.
