When there is an external IdP configured in Okta, and a user authenticates via that IdP, sometimes it might get redirected to the following error page:
400: Bad Request Error Code: GENERAL_NONSUCCESS
The failure below error can be seen in the system logs whenever a user tries to authenticate via IdP:
Authenticate user via IDP FAILURE: Unable to transform email to username
- Inbound SSO
- External IdP
- Authenticate user via IDP
- Single Sign-On (SSO)
- Identity Provider (IdP)
- Security Assertion Markup Language (SAML)
This can be caused by having an attribute (for example "email") selected as the desired format, but there is no existing attribute statement in the SAML assertion, or it is blank.
The IdP username needs to be changed from the external IdP that you have configured in Okta:
In the Okta admin dashboard, navigate under Security > Identity Providers > Configure Identity Provider > Edit General Settings > Under Account matching with IdP Username > change the IdP username to match against the following format: idpuser.subjectNameId.
Since most of the assertions include the NameId, the authentication will be successful as long as the IdP is sending the correct attribute statement in the SAML assertion.
