Error with user provisioning from Okta to Salesforce: insufficient access rights on cross-reference id Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmpnqai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Katie EvansKatie Evans 

Error with user provisioning from Okta to Salesforce: insufficient access rights on cross-reference id

We have started seeing the following error for all user provisioning from Okta to Salesforce:
Failed to provision user due to: insufficient access rights on cross-reference id

Is there any Okta configuration setting we may have missed that would resolve this error?
James FloresJames Flores (Okta, Inc.)
Hi Katie,
 
These types of errors are best understood by separating the Okta messages from the service provider message, in this case Salesforce. Typically the colon is the divider between Okta and the SP, so in your case the message would appear as such:
 
Okta:
Failed to provision user due to:
 
Salesforce:
Insufficient access rights on cross-reference id
 
So it seems that Okta attempted to provision a user ,using the API, into your Salesforce tenant and that job failed (first message). The job failed because Salesforce, instead of creating the user as requested by Okta returned an error, the error stating "insufficient access rights on cross-reference id"
(second message). 
 
As to why Salesforce is returning the error to Okta? That  interpretation is best left up to Salesforce support, but based on the error it sounds like the user account used for authentication does not have the appreciate  access to create users. As such I would verify with your Salesforce admin that the provisioning account has the correct permissions. Perhaps you can login directly to Salesforce with that user account and attempt to create a user , you should see a similar error if this indeed a permissions issues.  You can find the account Okta is using by going to Applications>>Salesforce>>Provisioning, it will be noted under the "API Credentials" section.