<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base

Salesforce Profile Push Fails in Okta Due to License Mismatch

Last Updated:

Okta Classic Engine
Okta Identity Engine
Lifecycle Management

Overview

A profile push to Salesforce fails when Okta attempts to assign a profile that is incompatible with the current Salesforce license. Verifying the license and profile compatibility in Salesforce, updating the Okta profile mapping, and retrying the provisioning task resolves the issue. When this mismatch occurs, Okta generates the following error message:

 

Automatic profile push of user <user> to app Salesforce.com failed: User's Profile can't be set to 'Identity User' because it's derived from a license that doesn't require the following permission(s): ChatterinternalUser. Select a different profile.

 

Saleforce Provisioning Error  

Applies To

  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Salesforce
  • Provisioning

Cause

Okta attempts to assign a Salesforce profile that is incompatible with the current Salesforce license. Specifically, the license type lacks the ChatterInternalUser permission required by the Identity User profile.

Solution

How is the Salesforce profile push error resolved?

Resolve the profile push error by verifying the license compatibility in Salesforce, updating the profile mapping in the Okta Admin Console, and retrying the provisioning task.

  1. Verify License-Profile Compatibility in Salesforce

    1. In Salesforce, confirm that the "Identity User" profile is supported by the license type assigned to the user.
    2. If not, either change the user's license in Salesforce to one that supports the "Identity User" profile or select a different profile that matches the user's existing license.

  2. Review Okta Profile Mapping

    1. In the Okta Admin Console, open the Salesforce app integration and review the Profile and License mappings under the Provisioning tab.
    2. Ensure that the profile assigned through Okta corresponds to a valid license type in Salesforce.

  3. Retry Provisioning After Correction

    • Once the license-profile alignment is corrected, go to Dashboard > Tasks in Okta and click Retry Selected for the failed provisioning tasks.

  4. Optional: Disable Profile Push (if SSO-only access is sufficient)

    • If provisioning is not required and users only need SSO access, the Update User Attributes option can be disabled for profile or user attribute pushes in the Provisioning > To App settings.
    • This prevents Okta from attempting to update Salesforce user profiles, thereby avoiding these specific provisioning errors.

NOTE: Okta does not support suppressing these errors while keeping provisioning active. Administrators must resolve the underlying license mismatch in Salesforce.

Recommended content

Still looking for help?
Loading
Okta Support - Salesforce Profile Push Fails in Okta Due to License Mismatch