Resolve local login failures when the Okta plugin is active<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Issue Resolve an issue where users cannot log in to a ServiceNow instance using the local login prompt when the Okta plugin is active. Users receive a "Login Failed" error when attempting local authentication, even though their credentials are valid. This issue occurs when all of the following conditions are true: The Okta plugin is installed and active on the instance.Okta is configured to provision users and synchronize their passwords in ServiceNow.User records are synchronized with their Active Directory passwords.Users are authenticating through the local instance login prompt rather than through Okta. Symptoms Users can log in successfully through Okta — either directly from the Okta tenant or using the Okta login link on the instance login page.If users attempt to set the Okta External Login to inactive and then reactivate it, they receive the error: "Okta authentication configuration failed. Invalid token provided." Release All supported releases Cause The Okta API token expires 30 days after creation if it is not used. Okta renews the token automatically each time the application uses it, but if the token expires before it is renewed, ServiceNow loses the ability to validate the Okta connection. This causes local login to fail and prevents the Okta External Login configuration from being reactivated. Resetting the token forces the instance to revalidate the connection and resolves the issue. Resolution Create a new Okta API token and update the token in ServiceNow to restore the connection. Part 1: Create a new API token in Okta Log in to your Okta tenant as an Okta admin user.If you are on the Applications home page, select the Admin link in the upper right corner of the page.In the main navigation bar, go to Security > API.Select Create Token.Enter a name for the token and select Create Token.Copy the token value and save it — this value is only shown once. Part 2: Update the token in ServiceNow Log in to your ServiceNow instance as an admin user.Go to User Administration > SSO provided by Okta, Inc.Paste the copied token into the Okta API token field.Select Yes for Enable Okta external authentication.Select Save.Verify that the following confirmation message appears: "Okta authentication configured successfully." After completing these steps, ask users to test local login to confirm the issue is resolved. Related Links PRB704082 related problem record