Last Updated: Nov 13, 2024
Overview
We are trying to integrate an IDP-initiated login flow with Okta via SAML SSO.
We were able to do it in a different environment - though without the invitation to organization flow.
Now, we try to do it with an invitation to an organization - we see the following error message:
{
"error": "access_denied",
"errorDescription": "the specified account is not allowed to accept the current invitation"
}
Applies To
- SAML SSO
- Organization invitation
Cause
The error is thrown when a user attempts to use an invitation ticket with a different email to the one the invite was sent to.
Solution
When using an Organization invitation, the user needs to login to an IdP which will return the same email address attribute as the email address set on the invitation. If they are using the correct account for this, then the IdP may not be sending the email address in its response to Auth0, or the attribute being used to send the email attribute is not being mapped to the Auth0 profile’s email attribute.
In some cases, a SAML IdP may be sending the email as the NameID but not sending any other SAML attribute statements - in this case you can map the NameID to the email attribute in the SAML connection’s mapping settings:
{
"email":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
}
To check what the IdP is sending, debug mode can be enabled on the connection to add the SAML Response to the tenant log event for the login attempt. Alternatively, a HAR file can be captured from the end user to see the SAML response being returned to Auth0.
Once you can confirm how the email address is being sent by the IdP, you can then either modify your connection’s mappings, or request the IdP send the email attribute in its responses so you can then map it.