We have set up user management with group functionality with 2 groups likely “WEBUSER”(this group for website users) & “APP USER”(this group for android app users).
When we try to login using WEBSITE with APP USER credentials, we are getting an error below.
Ideally, it should not be redirected because the user is invalid to access it. And login should fail with message invalid user.
Please look at the attachment below.
I don’t see an attachment with your question, but if I understand correctly, you want people who are not authorized to access WEBSITE with APP USER credentials to receive a “Invalid User” vs a “Unauthorized” error.
You’re getting this error of course because Okta is (in my opinion) an identity management system, not an access entitlement system. When the identity is valid, and the access is denied, the default message is correct – you’re not authorized to the application.
Your best way around this is to deploy your own custom error page for accessing this application. There you are able to customize the error message appropriately.
This is an old question, but the correct answer is that SSO was not considered and when I hit it I thought clarification is in order. Okta provides both authentication and authorization. SSO is based on the idea that once you are authenticated you don’t have to re-authenticate for every application you try to access. But, that doesn’t mean you are allowed to access every application. If a workforce user tries to access applications through the dashboard, you won’t see applications not permitted. If workforce or customer users start with a URL to the app, the app doesn’t know so it sends the user to Okta for authentication and/or authorization. Authorization happens after authentication because of SSO, so if you are not allowed access Okta denies access but you are still authenticated. This is intentional, it’s the only way that SSO can work.
1 Like