This article aims to clarify why users are getting an error when authenticating with an external Identity Provider (IdP):
FAILURE: Account link of incoming subject to user denied due to group membership restriction
- Okta Identity Engine (OIE)
- Security Assertion Markup Language (SAML) App Authentication
- Group Membership
- Identity Provider (IdP)
When users sign in to Okta accounts using an external IdP account, they might see the above error. That is because users can sign in with multiple IdPs, and certain configurations require Okta to link incoming profiles to a single Okta user.
To resolve the issue, automatically link external IdP accounts to Okta accounts when users sign in with those IdPs.
- For SAML, Okta recommends enabling Account matching with a Persistent Name ID to provide a more secure link for the user. If choosing not to select this setting, set Account Link Policy to Enable automatic linking.
Toggle the Account Link Policy to automatic:
- If the Account Link Policy is enabled, it may indicate a preference to restrict linking to specified user groups.
- Account Link Policy > Enable automatic linking > select this option for Okta to automatically link the user's IdP account with a matching Okta account.
When the Account Link Policy is set to Enable automatic linking, Okta searches the Universal Directory for a user's profile to link. The user profile is found when the IdP username value passed by the IdP matches the Match Against value. This option enables the Auto-Link filters, which can prevent the link from being created under the specified conditions.
