This article addresses the issue where application usernames are not being updated automatically when a user's group membership changes. This problem can affect integrations that require a dynamic population of NameID values based on the user's group membership.
- Okta Administrators are encountering issues with the automatic update of application usernames due to changes in group membership.
Group membership updates are not considered user profile updates. Therefore, when a user's group membership changes, an application profile update is not triggered. This behavior can lead to application usernames not being updated as expected.
A profile push may be utilized to work around this issue. Profile push allows selected attributes to be pushed from Okta to an application when a provisioning event occurs. The feature is unidirectional; data can only be pushed from Okta to the target application.
For successful implementation with SWA or SAML applications, Update User Attributes must be selected on the Provisioning page, and Administrator sets username and password must be selected on the Sign On page.
When mapping attributes using the Profile Editor, the attributes to be pushed when a provisioning event occurs can be selected. The options available in the drop-down list of the User Profile Mappings dialog box vary for each attribute. These options are determined by the app type, profile source status, and app state.
The options include:
- Apply mapping on user create and update: This pushes data when a user is created and also when there is a change in their profile.
- Apply mapping on user create only: This pushes data only when a new user is created and does not automatically push data when a user profile changes.
- Do not map: This option removes an existing mapping.
Even though Okta does not support partial profile push, during a profile update, Okta pushes the app user's full profile, including attributes set to Apply mapping on user create only and Do Not map.
If an attribute is mapped in Directory > Profile Editor > App profile mappings and set to Apply mapping on user create and update, the mapped value will be re-evaluated and applied on any updates to the user's Okta profile. However, a change in group membership alone will not trigger an Okta user profile update and will not update the mapped value in the application profile.
Therefore, to address the problem of group membership updates not automatically updating application usernames, Okta Administrators may consider using Okta's profile push feature to push user profile updates from Okta to the application when changes in group membership occur.
For more information or assistance with the workaround, please contact Okta Support.
