Attempts to create a new Okta user from Active Directory (AD) via Just-In-Time (JIT) provisioning fail during the initial login. When this occurs, Okta generates the following error message in the System Log:
VERIFICATION_ERROR
This issue typically occurs when the login identifier provided by the user does not match the specific format configured for the Okta username mapping in the AD integration settings.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Active Directory
- Just-In-Time (JIT) Provisioning
- Directories
The login attempt fails because the username provided does not match the value mapped to the Okta username. For example, if the Okta username format is set to the User Principal Name (UPN), but the user attempts to sign in using their sAMAccountName, Okta cannot verify the account for provisioning.
How is the JIT provisioning verification error resolved?
To resolve this error, confirm that the user provides the login credentials in the exact format defined in the Active Directory integration settings.
-
Navigate to Directory > Directory Integrations in the Admin Console.
-
Select the specific Active Directory instance.
-
Select the Provisioning tab and navigate to the To Okta section.
-
Locate the Okta username format setting to identify the required login format (for example, Email, UPN, or sAMAccountName).
-
Instruct the user to sign in using the identified format.
NOTE: If a custom expression is currently in use, JIT provisioning utilizes the format of the last-saved standard option (such as UPN) that was selected before the custom expression was applied.
