Problem statement
We are trying to integrate with Okta an IDP-initiated login flow via SAML SSO. We did it in a different environment, though without the invitation to organization flow. Now we try to do it with an invitation to an organization, but see the error -
specified account is not allowed to accept the current invitation
Symptoms
This is the error when trying to use an Organization invitation:
{
"error": "access_denied",
"errorDescription": "the specified account is not allowed to accept the current invitation"
}
Troubleshooting
- Check SAML configuration for Org
- Check which email was invited
- Compare with SAML response - either from your HAR file or if you enabled debug SAML response can be gathered from logs.
Cause
The error is thrown when a user attempts to use an invitation ticket with a different email than the one to which the invite was sent.
Solution
When using an Organization invitation, the user needs to log in to an IdP, which will return the same email address attribute as the email address set on the invitation. If you are using the correct account for this, the IdP may not be sending the email address in its response to Auth0, or the attribute being used to send the email attribute is not being mapped to the Auth0 profile’s email attribute.
In some cases, a SAML IdP may be sending the email as the NameID but not sending any other SAML attribute statements. In this case, you can map the NameID to the email attribute in the SAML connection’s mapping settings:
{
"email":"http://schemas.xyz.org/ws/2005/05/identity/claims/nameidentifier"
}
To check what the IdP sends, debug mode can be enabled on the connection to add the SAML Response to the tenant log event for the login attempt. Alternatively, a HAR file can be captured from the end user to see the SAML response being returned to Auth0.
Once you confirm how the email address is being sent by the IdP, you can either modify your connection’s mappings or request the IdP send the email attribute in its responses so you can then map it.