Does anyone have integrated OKTA with Salesforce for provisioning, my scenario is bit different, where customer wants to manage access to salesforce through AD group membership, that includes initial user creation in salesforce and updating the role and profile going forward as AD group memebership.
Initally i though i can use "combine value for across group" feature and create groups for each salesforce profile and roles in AD; and map them to salesforce applicaiton, however only top priority group assignment is happening, as role and profile does not support "combine value for across group" feature.
I was able to manage Roles & Profliles entirely from AD in my previous environment by creating a group for each role/profile combination that we were using but have too many roles & profiles here. My solution is to let Okta create the initial account with attributes - including role/profile - but not update. This allows our SFDC admins to update role & profile without Okta writing over those settings.
Another option is to make SFDC a Profile Master and use Atrribute Level Mastering for Role and Profile (making SFDC a higher priority for these attributes). This option allows for other attributes to be synced to Okta without over-writing role/profile.