An Org2Org setup can have many moving parts, including user creation and sync issues.  In the situation in which a user is created on the Spoke and Just-in-Time (JIT) provisioned into the Hub, user creation will take place, and all Spoke-created groups, etc., will sync up to the Hub via Push Groups (if the Okta Admin has enabled Org2Org Push Group in the Spoke org).

If a JIT provisioned user is deleted on the Hub org, this will disassociate the user from its Spoke counterpart. Furthermore, if the user attempts to recreate the Hub user through JIT provisioning, the group push and association will fail, with associated log entries:
 

failure: Not found: Resource not found: [userId] (User)
application.provision.group_membership.add

Where [userId] is the string for the associated Org2Org user.

• Org2Org SAML IDP Just In Time (JIT) Provisioning
• Okta Integration Network 
• Org2Org Push group Mapping
• Okta Identity Engine (OIE)
• Okta Classic Engine

This is due to a ghost profile entry in the Hub Org.  The Spoke user is still associated through the userId on the Spoke to the userId on the Hub.  Even if the user is deleted and reprovisioned to the Hub via JIT, the Spoke still associates the user's userId with the original Hub userId.

For example, a user "Test JIT" is created in the Spoke app with [userId_1]. The user is then given the Identity Provider Assertion Consumer Service URL for the Org2Org setup, which allows them to JIT provision into the Hub, and creates the user with [userId_2]. When the "Test JIT" user is deleted on the hub, the [userId_2] is removed from the Org, and that unique string is not used again.

If the user is re-provisioned from Spoke to Hub using JIT, a new userId is created (for example, [userId_3]), and the original association from [userId_1] and [userId_3] does not sync properly, due to the original association with [userId_1] and [userId_2]. 

To resolve the disassociation, follow the steps below:

1. Make sure that any re-provisioned users via JIT to the Hub are deleted.
2. On the Spoke, under the Org2Org application, locate the user - in the above example, the "Test JIT" user.
3. Unassign the Org2Org application from the user.
4. Reassign the Org2Org application to the user.
5. Under Security > Identity Providers, drop down the Identity Provider used for the Org2Org setup.
6. Use the Identity Provider Assertion Consumer Service URL to re-provision the user via JIT provisioning.
7. Check that the groups the user should have match between Spoke and Hub accordingly.

There may be a step needed to repush the Groups if the affected user does not receive them properly in the Hub. If so, under Push Groups in the Org2Org application, select the Active button, then click Push Now. This should sync groups back to the Hub for any missing group assignments for the user.

This error may also occur for users not provisioned via JIT, but only through Org2Org group push, if the user was deleted in the Hub but still getting pushed from the Spoke. To resolve, follow the steps below.
 

1. Deactivate the user in the Hub org.
2. Removed the push group membership from the user in the Spoke org, effectively removing the user from assignment to the Org2Org app.
3. Add the push group membership back to the user and reassign the Org2Org app to the user.
4. Allow the group push to run.
5. The new user account should be provisioned in the Hub org with the appropriate assignments made.

Related References

• Pushing Group Results in Error: One or More Errors Occurred During Update Group Membership