This article explains why users created in Okta through Just-In-Time (JIT) provisioning from Inbound Security Assertion Markup Language (SAML) / External Identity Providers (IdPs) may remain active in Okta even after they are deactivated in the IdP.
- Inbound SAML / External IdP
- Single Sign-On (SSO)
- Security Assertion Markup Language (SAML)
Okta and the IdP do not synchronize user status information. A user who is deactivated in the IdP will not have their status automatically changed to deactivated within Okta.
To resolve this, administrators must manually deactivate the user directly within the Okta Admin Console upon their deactivation in the IdP.
NOTE: Even if the JIT-created Okta user profile has not been manually deactivated yet, the user will not be able to log in to Okta if their account has been deactivated in the IdP. This is because Okta relies on the IdP to authenticate the user during the login process. If the IdP denies the authentication request from a deactivated user, Okta will not grant them access, regardless of their current Okta user status. Therefore, manual deactivation in Okta is primarily used to reflect the accurate status within Okta.
