User15746550966887064012 (BHyve) asked a question.
Getting Okta 400 Bad Request General_nonsuccess
We have setup an SAML IDP and it has been working great for 3 years now. But suddenly our users started getting Okta 400. We updated a new certificate and still it is showing the same. Looking at the logs it is only showing Reason: VERIFICATION_ERROR and Result: FAILURE. I am not able to understand why this is happening or what is causing this issue. No setting has been changed from my end or the IDP end just a new certificate (.PEM) was added because it had expired.
Hello @User15746550966887064012 (BHyve) Thank you for posting on our Community page!
Was the certificate changed on both sides, Okta and the IDP? In the system log, if you expand the Failure log, you should have the reason for the failure and it should be under the "errorMessage" line.
If it says "The digital signature in the SAML response did not validate ..." then that means that the certificate on one of the sides has not been properly updated.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Hello @Paul S. (Okta, Inc.) Yes the certificates were exchanged. It was working great for 2 years straight. The IDP certificate had expired so our client sent us a new ADFS certificate in PEM format and I added that. Still the issue persists. And the error message this time does not specify if the issue is the certificate or something else.
I just see this:
{
"actor": {
"id": "unknown",
"type": "User",
"alternateId": "<user_email_id>",
"displayName": "unknown",
"detailEntry": null
},
"client": {
"userAgent": {
"rawUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
"os": "Windows 10",
"browser": "CHROME"
},
"zone": "null",
"device": "Computer",
"id": null,
"ipAddress": "14.140.25.35",
"geographicalContext": {
"city": "Mumbai",
"state": "Maharashtra",
"country": "India",
"postalCode": "<code>",
"geolocation": {
"lat": <lat>,
"lon": <lon>
}
}
},
"device": null,
"authenticationContext": {
"authenticationProvider": null,
"credentialProvider": null,
"credentialType": null,
"issuer": null,
"interface": null,
"authenticationStep": 0,
"rootSessionId": "unknown",
"externalSessionId": "unknown"
},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"outcome": {
"result": "FAILURE",
"reason": "VERIFICATION_ERROR"
},
"published": "2024-09-30T13:14:55.849Z",
"securityContext": {
"asNumber": 4755,
"asOrg": "internet service provider",
"isp": "tata communications",
"domain": "vsnl.net.in",
"isProxy": false
},
"severity": "INFO",
"debugContext": {
"debugData": {
"loginResult": "VERIFICATION_ERROR",
"deviceFingerprint": "b941cb7e8230d4f09f21e61d972a491c",
"oktaUserAgentExtended": "okta-auth-js/7.8.0 okta-signin-widget-7.23.1",
"requestId": "cb80b27d3c7763b6262077bab8ce2cd6",
"dtHash": "fc54d1afe2d1e3b8732e8254ecf06b35faf5e064fe9b64b51260e7a3752f9623",
"requestUri": "/api/v1/authn",
"threatSuspected": "false",
"url": "/api/v1/authn?"
}
},
"legacyEventType": "core.user_auth.login_failed",
"transaction": {
"type": "WEB",
"id": "cb80b27d3c7763b6262077bab8ce2cd6",
"detail": {}
},
"uuid": "fc833e6d-7f2d-11ef-80e9-e557217d6e3f",
"version": "0",
"request": {
"ipChain": [
{
"ip": "<ip>",
"geographicalContext": {
"city": "Mumbai",
"state": "Maharashtra",
"country": "India",
"postalCode": "<code>",
"geolocation": {
"lat": <lat>,
"lon": <lon>
}
},
"version": "V4",
"source": null
}
]
},
"target": null
}
The error message is not specific for me to understand the reason for the bad request.
Can you help please ?
Hello @User15746550966887064012 (BHyve) Unfortunately, these logs does not provide much information on what could cause this issue. I would recommend to reach out to Support and they will be able to provide further assistance on this matter.