Okta successfully matches an Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) user to an existing Okta user during an import. However, Okta creates a new user instead of matching the existing user during Just-In-Time (JIT) provisioning because the JIT feature only creates accounts when the user does not exist in Okta. To resolve this, execute a scheduled or manual import to match an AD or LDAP account to an existing Okta user.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Directories
- Active Directory (AD)
- Lightweight Directory Access Protocol (LDAP)
- Just-In-Time (JIT) Provisioning
JIT account creation functions only when the user does not exist in Okta. Okta does not support assigning a directory user to an existing user during JIT provisioning. JIT only synchronizes profiles for a user already assigned to the directory.
Why does Okta create a new user instead of matching an existing one during JIT provisioning?
This is expected behavior. Okta cannot match an AD or LDAP account to an existing Okta user during JIT provisioning.
A Scheduled or Manual Import Resolves the Matching Issue
Execute a scheduled or manual import to successfully match the AD or LDAP account to the existing Okta user.
