Issues with provisioning users from Okta to SalesForce Skip to main content
https://support.okta.com/help/answers?id=906f0000000dfd6iao&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Imran KhanImran Khan 

Issues with provisioning users from Okta to SalesForce

So I set up a federation between Okta and Salesforce. I followed the instrctions provided. When I assign a user to my SalesForce application, I got the error "Failed to provision user due to: Guest Users cannot have a user role: Role ID". I noticed that SalesForce SSO has a JIT provisioning option. The problem is that for it to work, you need to select the radio button "Assertion contains the Federation ID from the User object" which then promptly breaks SSO between Okta and SalesForce.

Any recommendations?
Imran KhanImran Khan
So I discovered the error. I had to remove the role from the user. But then the logs show yet another error:
"Failed to provision user due to: License Limit Exceeded"
I'm using the free versions of both SalesForce and Okta but I think this error is on the SalesForce end?
Imran KhanImran Khan
Dont think its really a user licensing problem as I have manually created a SalesForce account in SalesForce using the SalesForce service account. Any ideas would be appreciated.
Imran KhanImran Khan
Solved the issue. You need to make sure that all of the "Feature License" checkboxes for the user to be provisioned remain unckecked!
Kevin TurnerKevin Turner (Okta, Inc.)
If it's also the free version, you will probaly only be able to assign then the chatter free profile and no role. Otherwise again you might get similar message.
sima dassima das
When i m trying to enable the just in time provisioning in salesforce then a error is coming

Error: Invalid Data. 
Review all error messages below to correct your data.
You must use the Federation ID for the SAML User ID Type when using just in time provisioning.
"
what should I do now?
I am not able to do just in time provisioning