Subsequent Inbound SAML Login Attempts Fail Following an Initial Successful Login
Mar 21, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview
When using inbound SAML for authentication, users might encounter an issue where the initial login is successful, but subsequent login attempts fail, resulting in the following error:
400: Bad Request Error Code:
GENERAL_NONSUCCESS
GENERAL_NONSUCCESS
In addition to seeing the above error in the User Interface (UI), the following errors will be seen in the System Log:
- Create okta user
FAILURE:
ErrorMessage with the following validation errors: login field failed validation with value 'user@example.com': An object with this field already exists in the current organization.<br/>
- Authenticate user via IDP
FAILURE: Unable To JIT
Applies To
- Single Sign-On
- Inbound SAML
- External SAML Identity Provider (IdP)
Cause
The user's IdP account has not been linked with a matching Okta account.
Solution
Enable Account matching with persistent name ID to link a user's IdP account with a matching Okta account based on Security best practices.
- In the Okta Admin Console, navigate to Security > Identity Providers.
- Select the desired Identity Provider.
- Go to Actions > Configure Identity Provider.
- Click Edit and enable the option Use Persistent Name ID (Higher Security) under Authentication Settings > Account matching with Persistent Name ID.
NOTE: The incoming SAML assertion must use the following Name ID format:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
The Name ID format is configured by the IdP. If assistance is needed with modifying the Name ID format, please reach out to the IdP.
