<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
AWS Account Federation SAML User Role Assignment Error "Invalid Value Data Type"
Feb 24, 2026
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

When updating or changing the Security Assertion Markup Language (SAML) User Roles with an AWS Account Federation app instance, attempting to save the assignment results in the following error:

 

Invalid value data type

 

Okta Admin console UI Error: Invalid value data type

Applies To
  • Okta Integration Network (OIN)
  • AWS Account Federation
  • Security Assertion Markup Language (SAML)
Cause

This error occurs when the Update User provisioning feature was previously enabled but has since been disabled.

The AWS Account Federation app does not support true user provisioning, as SCIM provisioning calls are not made to push user profile updates.

Provisioning setup is essential to this integration so that Okta can pull in the available SAML User Roles and surface the correct assignment configurations. The configured roles are then passed to the service provider when the end user initiates Single Sign-On (SSO) with AWS via SAML claim.

Solution

To resolve this, follow the steps mentioned below:

  1. Verify that Update User is enabled in the app by navigating to the Okta Admin Console > Applications > Applications > AWS Account Federation app name > Provisioning > To App. If it is disabled, enable it.
  2. Follow the documentation to perform a Refresh Application Data. This step typically has minimal impact for most environments and often takes less than two minutes. However, very large environments with many provisioning-enabled apps may experience some impact. It is critical to ensure that the provisioning information is correct and up to date.
  3. If the issue persists or the desired SAML User Role is not available, check the Okta System Log for the event indicating Import provisioning info triggered by import process with event type system.import.import_provisioning_info. Use its transaction ID to check for related errors. Example System Log event search: eventType eq "system.import.import_provisioning_info".
  4. If there are no recent provisioning import events for the app near the Application Data Refresh, or if a failure is reported, test the API connection in the app's Provisioning > Integration settings to verify the API permissions.

 

Related References

Recommended content

Still looking for help?
Loading
AWS Account Federation SAML User Role Assignment Error "Invalid Value Data Type"