<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Org2Org Provisioning Error "Operation failed because user profile is mastered under another system"
Oct 9, 2025
Okta Integration Network
Okta Classic Engine
Okta Identity Engine
Overview

API Provisioning (SCIM) and SAML Just-In-Time Provisioning (JIT) can coexist in an Org2Org setup, but it is generally not recommended. Employing both methods concurrently may lead to conflicts regarding user profile data control, resulting in the following error:

Automatic profile push of user <username> to app Okta Org2Org failed: Error while trying to push profile update for <username>: Operation failed because user profile is mastered under another system.
 

Error message

 

Applies To
  • Org2Org
  • SCIM Provisioning
  • Just-in-Time (JIT) Provisioning
Cause

This issue commonly arises when both Just In Time (JIT) provisioning with the update users option and SCIM Provisioning is enabled for the Org2Org application.

The error is primarily due to conflicting provisioning methods:

  1. JIT Provisioning with Update Users Option
When enabled in the Identity Provider (IDP) settings, users sourced by the Org2Org IDP become 'IDP mastered', meaning their profiles can only be updated by the IDP. 
JIT Settings
  1. SCIM Provisioning 
Activating this for the Org2Org app provisioning triggers profile updates for assigned users. However, if these users are IDP mastered, SCIM cannot update these profiles, leading to the error.
Integration
 
Provisioning

 

The problem unfolds as follows:

  • The user is initially provisioned via SCIM Provisioning.
  • Subsequently, the user directly accesses the Org2org application using SAML authentication.
  • At this point, the IDP masters the user's profile, and the profile master can only control the user's data.
  • Any attempts by the SCIM connector to push updates for this user will fail with the error message: Operation failed because user profile is mastered under another system.

 

Solution

To resolve this issue, admins can take the following steps:

  1. Disable the Update Attributes Option
In the IDP Configuration settings(hub), disable the 'Update attributes for existing users' option. This prevents users from becoming IDP-mastered during SAML login, allowing SCIM provisioning to update user profiles.
  1. Disconnect from Profile Master
For users already mastered by the IDP, disconnect them from this profile master. This allows failed SCIM provisioning tasks to be retried.
  1. Set Attribute Inheritance
Configure all user attributes to be inherited from Okta in the hub where the identity provider is configured. This will ensure the profile push from the org2org app is the only app pushing updates to the Okta profile and not another profile source that is already configured in the hub(assuming profile sourcing is enabled for other applications). Please note that while it is possible to use SCIM Provisioning and SAML JIT concurrently, careful consideration of the settings and their potential conflicts is essential to avoid the provisioning error mentioned.


Related References

Recommended content

Still looking for help?
Loading
Org2Org Provisioning Error "Operation failed because user profile is mastered under another system"