Authentication fails when users attempt to sign in to Okta via an Apple Social Identity Provider (IdP). Upon redirection to Okta after a successful Apple authentication, the following error flashes on the screen before returning the user to the sign-in page:
There was a problem signing you into your identity provider. Please contact your administrator for help.
Inspection of network calls in the browser developer console reveals the following error in the callback to Okta:
error: jit_failure_missing_fields
error_description: Unable to create the user. The following required properties are missing: ''firstName','lastName''.
- Account Federation
- Apple Social Identity Provider (IDP)
The user previously granted consent to Okta during a prior sign-in attempt, but the account failed to federate or was subsequently deleted. Apple only returns the user object containing the firstName and lastName the first time a user consents to the application.
state: VnJCbFo...
code: c29e4...
user: {"name {"firstName":"Igor","middleName":"","lastName":"Dean"},"email":"igor.dean@okta.com"}
The information under user is used to create the Okta account.
If the Okta account is deleted or the initial Just-In-Time (JIT) provisioning fails, subsequent federation attempts do not include this required profile information, causing the creation process to fail.
To resolve the missing field error, the user must revoke the existing consent in the Apple ID settings to trigger the return of profile data during the next sign-in attempt.
- Go to appleid.apple.com.
- Select the Sign In and Security tab.
- Select Sign in with Apple.
- Click the corresponding application for the Okta trust.
- Click Stop using sign in with Apple.
- Initiate the Okta sign-in process again to provide fresh consent.
