API Provisioning and Security Assertion Markup Language (SAML) Just In Time Provisioning (JIT) can be used at the same time in an Org2Org, but it is not recommended. API Provisioning (SCIM) and JIT should not be used at the same time because it will create a conflict regarding the entity that controls the user's profile data. Admins may be presented with the following error:
Operation failed because user profile is mastered under another system.
- System for Cross-domain Identity Management (SCIM) Provisioning
- Just In Time (JIT) Provisioning
- Org2Org
On the application side, the Identity Provider (IdP) is set to update the user attributes.
The user is provisioned first via SCIM API, and then the user accesses the application directly (SAML auth). From this point on, SCIM provisioning will cease to work for this user as the user will be mastered by the IDP, and the user's data can only be controlled by the profile master. Every time the SCIM connector pushes an update for the user, the push will fail with an error:
Operation failed because user profile is mastered under another system.
- The user can be disconnected from the profile master (the SAML IdP), and the failed SCIM provisioning tasks can be retried.
- As an alternative, the Update attributes for existing users setting can be disabled from the IDP settings. This option triggers the users to become IdP mastered when performing a SAML login to the Okta tenant, which is why the SCIM connector is failing to update the users.
