When users log into an Okta org via an OpenID Connect (OIDC) External Identity Provider, only some standard attributes are mapped over from the Identity Provider (IdP) into Okta (for example: First Name, Last Name, Email). This article describes how to map additional attributes from the user's profile at their IdP into their Okta User Profile.
When users authenticate into Okta through a custom OpenID Connect (OIDC) Identity Provider (IdP), any custom or non-standard attributes originating from this IdP will not be available within Okta until they have been mapped.
In order to receive custom or non-standard attributes from the user's profile within their IdP into Okta, the attributes will need to be added to the Application User Profile (in this case, the profile for the IdP in question) and the Profile Mappings configured from this Application User Profile into the Okta User Profile. Once the attribute is available within the Okta User Profile, it can be mapped to other applications within the Okta org as needed.
When using an OIDC Identity Provider, Okta will look for user attributes in one of two places: in the response from the Userinfo endpoint or within the ID Token payload.
If Okta is provided with a Userinfo endpoint when configuring the Identity Provider in Okta, Okta will only check for user attributes in its response and not the ID Token. Conversely, if a Userinfo endpoint is not provided, Okta will rely on the ID Token payload instead.
This means that the OIDC IdP will need to meet one of the following criteria for this mapping to be possible:
- claim is present in ID Token and a Userinfo endpoint is NOT configured for the IdP
- claim is present in Userinfo response and Userinfo endpoint IS configured for the IdP
- claim is present in ID Token AND Userinfo endpoint
If the setup matches one of the options above, the next step is to add an attribute into the IdP User Profile, with its external name set to the same value as the name of the claim that is present in the ID Token/Userinfo response, and then mapped from the IdP User Profile into the Okta User Profile. Once it is within the Okta User Profile, the attribute will be accessible in Application User Profiles or in a Custom Claim.
For example, there is an OIDC IdP that will include a favorite_ice_cream claim in its Userinfo response. This attribute will then be added into the receiving Okta org with the following setup:
- In Profile Editor, navigate to the profile for the OIDC IdP, and click Add Attribute to add a new custom attribute with its External name set to favorite_ice_cream
(For convenience, this will also be set as the Variable name.)
- In Profile Editor, navigate to the Okta Profile, and click Add Attribute to add a matching custom attribute (again, using the same Variable name of favorite_ice_cream)
- Next, configure a Mapping from the IdP User Profile > the Okta User Profile so that this value is mapped over
From here, this value can be mapped from the Okta User Profile into an Application User Profile or into a custom claim using user.favorite_ice_cream
NOTE: These attributes to be updated on both user creation AND update, the Identity Provider will need to be configured as a Profile Source.
