When using the SAML protocol for Single Sign-On (SSO) between Okta and a Service Provider (SP), certain required attributes must be included in the SAML assertion. If these attributes are not included, the system will skip attribute updates due to a schema mismatch, and either the user will not be created via Just In Time (JIT) or the profile update will not be successful.

This article will explain the causes of the following error, when Okta is the SP, and how to fix it:

Skipping assertion attributes because of schema mismatch.

• Okta Classic Engine
• Okta Identity Engine (OIE)
• Service Provider (SP)
• Security Assertion Markup Language (SAML)
• Single Sign-On (SSO)
• Just-In-Time (JIT) Provisioning

Different SPs or applications have different requirements for user profiles, but the required attributes usually include username, email, first name, and last name.

However, in some cases, additional attributes are required. If any required attributes are missing in the SAML assertion sent to the SP during SSO, the system will skip attribute updates due to a schema mismatch, and user creation via JIT or profile update will fail.

To resolve the Skipping assertion attributes because of schema mismatch error, follow the steps below:

When Okta is the SP?

Please ensure that the external IdP sends all attributes marked as "required" in Okta in the SAML response.

When Okta is the IdP?

Custom SAML app

1. Go to the Sign On tab of the Custom SAML application in Okta.
2. Scroll down to the Attribute Statements section.
3. Select Show legacy configuration to view existing attributes if the section is not expanded.
4. Click Edit and add the required attribute as an additional attribute statement.
    
5. Click Save toward the bottom of the section to save the changes.

OIN App

1. Go to the Sign On tab of the Okta application.
2. Click Edit for the SAML 2.0 Settings.
    
3. Add the required attribute as an additional attribute statement.
4. Click Save toward the bottom of the section to save the changes.

NOTE:

• The Name field has to match perfectly the variable name for the attribute from the application side. For details on obtaining the attribute's variable name, please contact application support.
• The Value field can contain constants (for example, "insert static value here") or variables (other attributes or expression language constructs) specific to the user sending the expression. The exception would be a reference to other applications' appuser values (do not reference an salesforce.firstName attribute on a Service Now app), although the appuser.attribute value can be used to reference attributes from the current application user's profile.

If the option to add additional attribute statements is not visible in the Sign-On settings, an Okta Support ticket can be opened to enable it.