One of the popular features that Okta has with most of the OIN applications that support Provisioning is the Update User Attributes feature. This feature updates the user's attribute from Okta to the desired application. For example, if the user's last name has been changed from Smith to Anderson in Okta, Okta will send the new last name to the app (based on the attribute mappings) and the last name attribute will be changed on the application side as well.

In some cases, Admins may notice that an attribute is changed in Okta, but not updated in applications. This document will serve as a reference point to check and review a few reasons why this issue happens and how it can be resolved. 

• Profile Editor
• Applications with provisioning (Box, Office365, G Suite, etc.)

Based on the source of the issue it may be caused by:

1. Incorrect API credentials.

2. Incorrect attribute mapping.

3. User missing external ID on assignment (External ID is the attribute that makes the Okta user connected to his/her account on the application side. This is usually caused by assigning users to applications before the Provisioning feature is enabled so users are not fully synced between Okta and the application.).

API Credentials

The first thing that will need to be checked is to make sure that the API credentials used for provisioning are correct. Go to the applications settings in Okta > Provisioning > Integration and check the credentials for the API integration. This admin account is used for API calls and to update users on the app side so it needs to be an admin with enough permissions to make changes (updating attributes, provisioning users, etc.).

Update User Attributes

Make sure the Update User Attributes are selected under the Provisioning tab of the application settings in Okta. Otherwise, Okta will not send new attribute values to the application.

Attribute Mappings

If the above-mentioned feature is enabled and the user's attributes are still not getting updated on the application, check mappings from Okta to the app:

1. Go to Okta's admin portal.

2. Go to Directory > Profile editor and find the application.

3. Click on Mappings for the app.

4. At the top of the new page, click on Okta to (Application's name).

5. Make sure the app attribute is mapped to the correct attribute in Okta.

The Preview option at the bottom of the mapping page can be used to see what attribute value Okta is sending to the app for each user.

External ID

If the mapping looks good and the user's attributes (or some users) are not getting updated on the application, they might be missing the external ID, which causes the user not to be synced properly with the appropriate account on the applications side. This is usually caused by assigning users to applications before the Provisioning feature is enabled, so users are not fully synced between Okta and the application. To resolve this,  unassign/reassign the affected users while provisioning is enabled:

1. Go to the application settings in Okta.

2. Click on the Assignment tab.

3. Find the user in question.

4. Click on the X button to unassign the user.

5. Click on the Assign button and reassign the user.

• If the X button for Unassigning the user is grayed out, it indicates the user is assigned to the app based on group membership. Therefore, it may be necessary to either change the assignment to an individual or unassign the group from the app. To change the assignment from Group Assignment to Individual Assignment, Click on the pencil (edit) button beside the user's name and change the Assignment Master from Group to Administrator as below:
  
  

• While unassigning users, On the Provisioning tab of the application settings in Okta, disable the Deactivate Users option to avoid deactivating users on the application side.

Note! Okta strongly suggests checking and applying the mentioned steps in this article with a single test user before making any changes to production users and groups.