• Public

Single Sign-On

Skip Feed

    • Mihai N. (Okta, Inc.)

      Hi @TimothyH.00153 (Customer)​ , Thank you for reaching out to the Okta Community! 

       

      If only one user has the problem, it's most likely an environmental issue.  

      Check to see if this happens via incognito or other browser. See if clear cache/cookies helps. 

      See if they perhaps use some wrongfully copy/pasted URL that might have a redirect/fromURL in it.

      If that does not help, and if it's a SAML app, try checking with SAML Tracer to see what happens during authentication. 

      I'm not expecting the Okta System Logs to show anything(but you can check them), as they don't track a successful authentication on the third-party app side (that would be for the app side to confirm), so the syslogs would just show "successful" once the user clicks on the app icon in the Okta Dashboard and is sent to the app website.  

       

       

      Regards.

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Collect them all. Learn a new skill and earn a new Okta Learning badge.

      Just released: More Okta Community badges just added

      Expand Post

  2. HyunK.48263 (Customer)

    Edited January 12, 2026 at 4:13 PM

    Subject: Set NameID to EmailAddress while logging in with Unique ID

     

    Issue: Our system requires the NameID attribute to be populated with the user’s email address. However, users must authenticate using their Unique ID.

     

    Question: How can we configure the Okta to use the Unique ID for login but return the email address in the NameID field?

     

    ========== MY SAML EXAMPLE RECEIVING FROM OKTA =======

    NOTE: See in bold, we need their email address and still allow the user to login using their Unique Id.

    ...

    ...

    ...

        <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

          <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"><strong>123456789</strong></saml2:NameID>

          <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

            <saml2:SubjectConfirmationData InResponseTo="123"

              NotOnOrAfter="2026-01-06T19:37:26.484Z"

              Recipient="https://authn.test.com/sso/saml/acs/test" />

          </saml2:SubjectConfirmation>

        </saml2:Subject>

        <saml2:Conditions NotBefore="2026-01-06T19:27:26.484Z"

          NotOnOrAfter="2026-01-06T19:37:26.484Z"

          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

          <saml2:AudienceRestriction>

            <saml2:Audience>urn:test:sso:saml:test</saml2:Audience>

          </saml2:AudienceRestriction>

        </saml2:Conditions>

        <saml2:AuthnStatement AuthnInstant="2026-01-06T13:26:48.304Z"

          SessionIndex="asd"

          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

          <saml2:AuthnContext>

            <saml2:AuthnContextClassRef>

              urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>

          </saml2:AuthnContext>

        </saml2:AuthnStatement>

      </saml2:Assertion>

    </saml2p:Response>

    Expand Post
    • 6 comments
    • 56 views

    • paul.stiniguta (Okta, Inc.)

      Hello @HyunK.48263 (Customer)​ Thank you for posting on our Community page!

       

      If I understood the question correctly, you are looking to use Unique ID for Okta authentication and to use Email attribute for an application authentication.

      If the above is correct, then this can be done, as the Okta login and the app login does not have to be the same value. For the app login you can setup the desired value from the App Sign on Page and you can set it up as what ever value you want.

       

      Thank you for reaching out to our Community and have a great day!

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Join the discussion for our Ask Me Anything on January 20, 2026: Adoption of Stronger Authentication MFA. Ask our expert questions. 

      Expand Post

  3. MorganH.19528 (Customer)

    December 5, 2025 at 2:26 PM

    Subject: Request for MFA Reset / Support Contact Needed

    Hi everyone,

    Could you please assist us by providing the contact details of your support team?

    We are still experiencing an issue with the Multi-Factor Authentication (MFA) and are currently unable to reach support because our access is completely blocked. We have our username and password, but no longer have access to the MFA device.

    Additionally, the person who originally set up the MFA no longer has access to the app or the key used to authenticate with Auth0. As a result, we cannot recover or validate the MFA on our side.

    Would it be possible to reset or reconfigure our MFA setup?

    Thank you in advance for your assistance.

    Best regards,

    Morgan Hanin

    Expand Post
    • 1 comment
    • 20 views

    • Mihai N. (Okta, Inc.)

      Hi @MorganH.19528 (Customer)​ , Thank you for reaching out to the Okta Community! 

       

      Please note that free trial/developer/integrator accounts are only recoverable via self-service provided that you have configured the appropriate policies and backup accounts.  You can also review the recovery process mentioned in this article

      We strongly recommend configuring test users and groups to be used in conjunction with enrollment/authentication policies that would not apply to your admin accounts.  

       

      If you have a paid account with us please email us at community@okta.com from the address associated with the SuperAdmin and provide the Okta Org URL (ex. <companyName>.okta.com) and we can look into potentially opening a support ticket on your behalf. 

       

      If no paid developer or production account is available,  the only option left is to sign up for a new free trial or integrator account with a new email and leverage those for testing. 

      Beyond that, engaging our Okta Sales team to discuss the matter of acquiring Okta Support services would be the only option as it is unfortunately completely outside of the Okta Community Team's scope. 

       

       

       

      Regards.

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Collect them all. Learn a new skill and earn a new Okta Learning badge.

      Just released: More Okta Community badges just added

      Expand Post

  4. JamesJ.02696 (Customer)

    September 4, 2025 at 4:07 PM

    Hi,

     

    This is my first time posting so I'm not sure if this is the proper method to ask a question. I have a customer who wants to use Okta as an IdP with our software, and they want to use an Okta Tile.

     

    Our old SSO would take the URL and change ..../Saml2/Acs to /RfsMenu.aspx and then the Okta Tile would work.

     

    Our new SSO (which we call Auth Server) does not work with this solution. I know the new solution we use is different on the backend, but I'm not sure how to change how we set up okta to make the Okta Tiles work.

     

    Does anyone else have any ideas? Do I need to provide additional information?

    Expand Post
    • 1 comment
    • 25 views

    • DianaL.19788 (Customer Support Online Community and Social Care)

      Hello @JamesJ.02696 (Customer)​ , thank you for contacting Okta Community.

       

      Is your app part of the OIN (Okta Integrated Network)? In other words, is it available in the App Catalog? If so, you may want to check in with our dedicated team at oin@okta.com.

       

      If it is not an OIN app, but a custom SAML app integration, I recommend that you open a Support ticket* (Customer Support Account ID number required) so one of our engineers can analyze it and provide in-depth troubleshooting. You could also provide more details in a ticket that shouldn’t be given here, as this is a public space.

      *Please note that opening a support ticket is a feature available only to paid accounts. If you do not have a paid account, but are interested in upgrading, you can contact our Sales team

       

      Regards. 

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Just released: More Okta Community badges just added

      Expand Post

  5. AdamF.07802 (Customer)

    August 12, 2025 at 3:39 PM

    We have created an OpenID Connect app that uses Okta for SSO, but I'm confused about something. It seems to only be allowing Okta users from our org to sign in. We would like to allow any user with an Okta account to sign in, without having to make a prior arrangement with their org. Our app seems to be in Federation Broker Mode, which seems like it should allow this, but it is not working (when we try to log in with an account from another Okta org, we get a generic "unable to sign in" from Okta. The url we are redirecting to is tied to our organization - could that be the problem? What else might be wrong here? It should be possible to have it work this way, correct?

    • 2 comments
    • 34 views

  6. RehanM.61700 (Customer)

    August 1, 2025 at 2:29 PM

    Hello Team,

     

    I see recently okta enabled org2org encryption of SAML responses.

    https://support.okta.com/help/s/article/enabling-org2org-claims-sharing-encrypts-saml-responses-for-okta-org2org-applications?language=en_US

     

    I am having a DEV instance in which i need the response to be cleartext and was fine until the above was applied centrally... now the response is cyphered/encrypted, which is unreadable in any devtool.

    Within the application the encryption was disabled already.

     

    Where can in the Administration should i be able to disable the encryption of SAML responses?

     

    Thank you in advance.

     

    With warm regards,

    Rehan Mansury

    Expand Post
    • 6 comments
    • 48 views
    1 of 6

    • RehanM.61700 (Customer)

      Thank you very much for this one, too, Paul.

      I will try that route with my team.

       

      You too have a great day!

  7. AmanP.50582 (Customer)

    June 24, 2025 at 8:53 AM

    Dear Okta Support Team,

    We are currently evaluating Okta as our Identity Provider and implementing SSO using OIDC for a multi-tenant Spring Boot application.

    Our setup uses Federation Broker Mode to allow users to be auto-provisioned and access our application without manual assignment. The login flow works correctly — the user is able to enter credentials, pass MFA, and receive a successful authentication response.

    However, after login, the following error is displayed:

    "You are not allowed to access this app. To request access, contact an admin."

    • 1 comment
    • 44 views

    • Mihai N. (Okta, Inc.)

      Hi @AmanP.50582 (Customer)​ , Thank you for reaching out to the Okta Community! 

       

      The issue might be related to your Authentication policies.  

      Go to Security > Authentication Policies in your Okta Admin Dashboard and check the policies that might apply to your app.

      You can check the Okta System logs - Filter by the user's name or ID, and look for events related to "Access Denied," "Authentication Policy," or "Authorization Policy." The logs will often provide a more specific reason for the denial. This might point you directly to the policy or rule that is blocking access.

      That being said, SpringBoot app configuration would be the purview of the DevSupport team. My advice would be to reach out via devforum.okta.com to take advantage of their expertise and go over possible causes.

      While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-custom/developer work). 

       

       

      Regards.

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Collect them all. Learn a new skill and earn a new Okta Learning badge.

      This month's AMA topic: Okta Device Access. Ask away today.

      Expand Post

  8. yinjief.91411 (Customer)

    Edited May 9, 2025 at 3:01 AM

    Hello Team,

     

    When a user logs into the Company Portal, he is unable to jump to the Okta sso account authentication page or the page suggests that your version of OneDrive is not supported and a cookie is required.

    After downloading the latest OneDrive and installing it, and checking the cookie enable status, he still can't jump to the login interface.

     

    • 3 comments
    • 81 views
    1 of 3

End of Feed
8 Chatter Feed Items

Group Details

Details

Description
Information
Member Count
84 Members
Owner
TiffaniA.38269