Inbound Security Assertion Markup Language (SAML) Just-In-Time (JIT) provisioning removes users from Okta groups if those groups are not present in the SAML assertion during a full sync. Selecting the Full sync option triggers this behavior even for groups not managed by the Identity Provider (IdP). This occurs when a user belongs to an Okta group that does not match the values specified in the SAML attribute name field.
- Okta Classic Engine
- Okta Identity Engine (OIE)
- Inbound Security Assertion Markup Language (SAML)
- Just-In-Time (JIT) Provisioning
The Full sync setting in the SAML IdP configuration enforces strict membership matching. If the SAML assertion does not include a specific group, Okta removes the user from that group to ensure the Okta profile matches the IdP assertion.
The following steps describe how to adjust the Identity Provider settings to maintain group memberships:
- Access the Okta Admin Console.
- Go to Security > Identity Providers.
- Locate the specific SAML IdP and select Actions > Configure Identity Provider.
- Click Edit and locate the Group Assignments section.
- Choose Add instead of Full sync to ensure Okta adds users to groups without removing them from existing memberships.
- Select Save.
NOTE: The Add option prevents the removal of users from groups.
Alternatively, utilize the following method to manage groups without direct IdP assignment:
- Set the Group Assignments attribute to None within the IdP configuration.
- Navigate to Directory > Groups > Rules.
- Create a Group Rule to automatically assign users to the desired Okta groups based on their attributes.
