When logging into a newly created OpenID Connect (OIDC) Identity Provider (IdP), users are not able to be created within Okta.

System Log events show that the user creation failed (eventType eq "user.lifecycle.create" and outcome.result eq "FAILURE") and an error (eventType eq "user.authentication.auth_via_social") that says:

Unable to JIT user from the Identity Provider


 

• Generic OpenID Connect Identity Provider

This error occurs after the user logs into their external Identity Provider, but is not able to be Just-In-Time (JIT) provisioned into Okta. As Okta requires that users have a First Name and Last Name in order to be created, ensure that this Identity Provider is returning these attributes back to Okta per OpenID Connect specifications. In OpenID Connect, these specific attributes are returned in the ID Token or UserInfo in the standard claims given_name and family_name.

There are two things to check in the Identity Provider Configuration to ensure that these claims are being returned

• Profile has been added to the Scopes section.

• Userinfo endpoint is configured.

NOTE: If any desired profile attributes are only available within the ID Token itself and are not found in the Userinfo response, omit the "Userinfo endpoint" when configuring the OIDC IdP. This tells Okta to only look at the claims found in the ID Token payload.

If still having an issue, try completing the Authorization Code flow manually to see what claims are returned in the ID Token/Userinfo response to ensure that the Identity Provider used is providing them.

Related References

• Okta Groups or Attribute Missing from ID Token
• Enterprise Identity Provider
• Standard Claims
• UserInfo Request