User17116546701226642633 (Customer) asked a question.
Hello,
My organization is using the Okta SDK and Embedded SignIn Widget for Angular. The SignIn widget is initialized with the okta domain and app integration from our internal okta (example: okta domain - internal.okta.com, client ID - xyz123). Users are properly verified and have successful OAuth2 authorization codes and id tokens granted, which logs them into the app without issue. The problem is when a user from an external okta (example external.okta.com) uses the SignIn widget, the system logs on our internal okta show the error PASSWORD_BASED_ACCESS_DISALLOWED. This is after a successful OIDC access token, single sign on to app, and (this part I don't really understand) a "User logout from Okta" event.
I have seen the help center posts for this kind of error such as https://support.okta.com/help/s/question/0D51Y00007i8LEeSAM/failure-passwordbasedlogindisallowed?language=en_US
and
Both of these help center articles are either out of date or point to places that do not have the answers I am looking for.
The user resetting their password did not work. The user is authenticated via a SAML 2.0 IdP that links to their external okta URL. I have checked the routing rules, which state that a user with their email should use the proper SAML 2.0 IdP set for their okta.
This issue is particularly hard to test because we only have one Okta organization (not counting internal.oktapreview). Has anyone else encountered this issue, and how did you fix and test that this issue has been fixed?
Hi @User17116546701226642633 (Customer) , Thank you for reaching out to the Okta Community!
Based on what information I could gather, this is problem with the login flow - as in - the user does something they should not, trying to login into your side with username&password.
Similar post: https://devforum.okta.com/t/failure-password-based-login-disallowe/19436
KB Article: https://support.okta.com/help/s/article/Users-Created-By-JIT-Cannot-Perform-SelfService-Password-Reset?language=en_US
What you could try, is looking in your Okta System Logs for a failed authentication attempt (for example if JIT is involved - something like "user not found"). This might result in the user being redirected to your default Okta Login page where, as expected, they would not be able to login and password reset would not apply as they would not have any passwords in your environment because authentication is SAML.
The Okta Community Questions forum isn't really meant for in-depth troubleshooting, so if you require assistance with a deep-dive into this, I recommend opening a case to work with one of my Support colleagues to get to the bottom of things.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Help others in the community by liking or hitting Select as Best if this response helped you.