This article provides information on resolving issues when users are unable to log in to Okta using a Security Assertion Markup Language (SAML) IdP configuration that matches against a specific attribute.

The expected system log entries are:
 

• Authenticate user via IDP = failure: User Not Found

• Authenticate user via IDP = failure: Unable to match the transformed username.

• External Identity Provider (IdP)
• Just-In-Time (JIT) Provisioning
• Matching users against a specific, non-unique attribute

To resolve this issue, the user account attribute value needs to be updated to enforce uniqueness. This can be done by updating the attribute value for the affected users in Okta. After the update, the login process should be able to match the user correctly, and login failures should be resolved.
 

NOTE: The System Log entries noted above are also expected behavior when a user attempting to log in does not exist in Okta. If JIT provisioning is enabled in the IdP configuration, but the user is not getting created as expected and sees no System Log entries referencing JIT failure, check to confirm JIT is enabled at the Org level.

Go to the Okta Admin Console > Customizations > Other > enable the Just In Time Provisioning.