Just-in-time Provisioning (JIT) fails for Microsoft Entra ID, formerly Azure Active Directory (AAD), or Active Directory Federation Services Identity Provider (ADFS IdP) during inbound Security Assertion Markup Language (SAML) flow.

• Inbound Security Assertion Markup Language (SAML)
• Active Directory Federation Services (ADFS)
• Microsoft Entra ID, formerly Azure Active Directory
• Okta Classic Engine
• Okta Identity Engine (OIE)

Some required attributes are missing from the IdP profile.

Ensure the Okta required attributes login, email, firstName, and lastName are being saved to the IdP profile.

1. Navigate to the Okta Admin Console > Security > Identity Providers.
2. Click Configure > Edit Profile for the respective IdP.
3. Create a Custom attribute and provide the Display name and Variable name. For the External name, add the attribute name sent by the IdP (for example, AAD sends firstName as http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname). See the example below:

  

4. Complete each attribute (for example, LastName, Email, and Login).
5. Click Mappings.
6. Map the attributes to their respective Okta attributes.

The above will work for any inbound SAML as long as the attribute "names" is sent via the SAML assertion. Verify these either via a SAML trace or using the product's documentation.

Related References

• AAD Claim Sets
• AAD Attributes