We have it working. It's pretty clean on the user side, but a bit messy otherwise. Honestly, Cisco's SAML support sucks and we could never find anyone @ Cisco or Webex Connect that knew how it worked.
A few issues w/ workarounds:
1. You can't edit attributes on the Cisco side if SAML is enabled. Which is fine, except you can't set the user cluster via SAML. So users have to click the Jabber chiclet in Okta for their account to be created and then we have to go in after the fact and assign their cluster.
2. We also had to push a custom attribute for "last_updated" (or something similar) or SAML provisioning would fail. Easy fix, but not documented anywhere that we could find.
For future reference the custom 'updateTimeStamp' attribute is required for auto update to work with Jabber user profiles. We created a custom attribute on the Okta profile for this and push it dynamically whenever a user profile is updated from our external data source. We spoke with Okta to see if we could use the 'lastUpdated' value from their API but it is not able to be mapped in a SAML assertion.
Specify the “updateTimeStamp” attribute in the SAML assertion and check this field to update an existing user account. The “updateTimeStamp” value is the last update time of a user’s profile in the customer’s Identity store. For example, in Active Directory, the “whenChanged” attribute has this value. If “updateTimeStamp” is not in the attribute, the user profile would not be updated since the last update. It updates the first time when the user profile is updated via Auto Account Update or Auto Account Creation. Unchecked indicates no updates will occur.