Here you can find troubleshooting solutions for some common provisioning issues for both a new appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. and an existing SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones.-enabled app.

From Dashboard > Tasks page, Okta displays any errors that occur in the provisioning process. The first half of the message is an Okta error message. The second half (following the semicolon) is the error code or message provided by the third-party service provider.

<Okta error message>: <third-party error message>

System logs can provide useful information surrounding an issue.


With Salesforce as the example app used in this guide, all of the error messages in this section are specific to Salesforce. However, the format of the error messages and the information they provide is the same across all applications.

Issue: Insufficient account permissions on the account used to setup the API config


ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. has failed. From the Dashboard > Tasks page in Okta, the following error is displayed: "Automatic provisioning of user John Doe to app failed: The credentials used to connect to the API were invalid; please check your configuration".

This could be due to the third-party adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. account reaching a password expiration, or the password was changed and not updated in Okta. It could even be that the third-party admin accounts username was changed or the account has been disabled.


Check that the third-party application admin account used to set up the provisioning function within Okta is still valid and can be used to log into the third-party application directly. If the account works, make sure to re-enter the account info into the Integration section of the Provisioning tab for your application in Okta. If the account does not log in, use another admin account (if applicable) to log into the third-party application and check on the admin account in question. Fix any issues found with that account (password reset, username changed, account expired) and then re-enter the updated information in the Provisioning configuration.

Issue: API config was successful, but the option to create, update, and deactivate users was not activated


Provisioning has failed. From the "Tasks" page (Dashboard > Tasks) in Okta, the following error is displayed: “Automatic provisioning of user John Doe to app failed: Matching user not found.”

This can happen with a very simple mistake where you enable the provisioning feature by setting up the Integration and saving it. But then forget to turn on the create, update, and deactivate users options. This error message lets you know that create users option is not on, as the error message is stating that it was unable to find a user in the salesforce application that matches this user, therefore it could not assign the application. If the Create user option is turned on, it would create a new user in Salesforce once it found no matching user existed, and assignment would succeed.


Ensure that in the Provisioning tab of your application, for the To App setting, you click Edit and enable Create Users, Update User Attributes, and Deactivate Users options.

Issue: Insufficient licensing


Provisioning has failed. From the "Tasks" page (Dashboard > Tasks) in Okta, the following error is displayed: “Automatic provisioning of user John Doe to app failed: License Limit Exceeded.”

This issue occurs when a user is assigned to an application and a role or licensing level has been granted that we have either run out of or do not possess.


Ensure that sufficient licensing exists prior to user assignment. If you do run into this issue, procure the required licensing and simply click Retry Selected on the "Tasks" page once the licensing issue has been fixed.