<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008s5YKNCA2Okta Classic EngineAuthenticationAnswered2025-09-13T09:01:51.000Z2023-03-01T19:51:53.000Z2023-03-02T10:21:11.000Z

SteveM.58178 (Customer) asked a question.

March 1, 2023 at 7:51 PM
Is it possible to setup users to "Active" with no password for sole usage with a SAML IdP?

We have an application configured to authenticate via SAML IdP. We understand that users must be in the Okta "Active" state for the SAML flow to proceed through Okta to our connected application. Is there a way to create users and place them in an "Active" state but they don't have a password stored in Okta? I believe that delegated authentication is mostly an AD/LDAP thing. Is there any way to do this on a user? We are onboarding and activating users via APIs.

  • 2 answers
  • 670 views

  • DonF.81354 (Customer)

    Hi! Do you have Active Directory anywhere in this mix? That is where Delegated Authentication would come into play and where Okta does not store the password, but rather delegates authentication to AD where the actual password is stored. Okta would only manage a hash in this scenario. If it is an Okta mastered account, then Okta would store the password.

     

    As for a user where AD is not involved and the user is created via API, there are a couple of options. You could create the user with a password (like a temp default, etc) of course, if you create without creds, the user will receive an activation email which they will set themselves afterwards. If you utilize the former, Okta warns that you should not send a one-time to the users, but rather it would be on you to communicate that password to them and have them login with it for the first time.

     

    Creating the user with a password is typical of a user registration flow, creating the user without is typical of creating the user in the admin UI.

     

    Regardless, before the users can login to use the integrated application, they must have a way to login and presumably that would be a password (which in turn, would ensure they are "ACTIVE"). Would you mind elaborating more on the use case and what you are trying to achieve so we can help better provide a recommendation?

     

    At this point I would say that even if the account was "ACTIVE", if the user didn't have a password then they couldn't login to utilize the app regardless, but I could be missing something. I hope this helps! Please do reply back with any questions or comments.

     

    Thanks! I hope that helps!!

    Expand Post

  • a0n5s (a0n5s)

    Do you mean passwordless login for application?

This question is closed.
Loading
Is it possible to setup users to "Active" with no password for sole usage with a SAML IdP?