When provisioning an Okta user to Active Directory (AD) through a provisioning group, the task fails with a constraint violation error. This occurs when the target attribute value does not match the expected format or length in the downstream application. Resolve this issue by correcting the attribute value to meet the AD schema requirements and reassigning the user to the provisioning group.

In AD, this creates an error that Okta logs in the System Log and the Okta AD Agent log for the agent that attempted the task. For example, if a user fails provisioning to AD, the Okta System Log displays a constraint violation error.

The Okta AD Agent log provides further details regarding the specific constraint violation error.

2025/01/29 13:36:40.962-06:00 Error -- IDC2OKTA01(5) -- DirectoryServicesCOMException: A constraint violation occurred.
ErrorCode=8007202F; ExtendedError=00002082, ExtendedErrorMessage=00002082: AtrErr: DSID-03151F1B, #1:
0: 00002082: DSID-03151F1B, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 2008d (department):len 132
2025/01/29 13:36:40.962-06:00 Error -- <SERVER_HOSTNAME>(5) -- DirectoryServicesCOMException: A constraint violation occurred.
 ErrorCode=8007202F; ExtendedError=00002082, ExtendedErrorMessage=00002082: AtrErr: DSID-03151F1B, #1:
    0: 00002082: DSID-03151F1B, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 2008d (department):len 132
2025/01/29 13:36:40.962-06:00 Error -- <SERVER_HOSTNAME>(5) -- Error processing WRITE_OBJECT action rpc::<OKTA_INTERNAL_SERVER>//<EVENT_NUMBER>//<TRANSACTION_ID>:<POLL_ID>:
2025/01/29 13:36:40.962-06:00 Info -- <SERVER_HOSTNAME>   at System.DirectoryServices.DirectoryEntry.CommitChanges()
   at Okta.DirectoryServices.ActiveDirectoryAdapter.CommitChanges(IDirectoryEntry entry, IEnumerable`1 attributeChanges)
   at Okta.DirectoryServices.ActiveDirectoryAdapter.CreateObject(String targetDN, String cn, String schemaClass, List`1 properties)
   at Okta.Action.Handler.WriteActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Handler.MultiTypeActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Dispatch.MultiThreadedDispatcher.HandlerCallback(Object param)
System.DirectoryServices.DirectoryServicesCOMException received with message A constraint violation occurred.
 Source=System.DirectoryServices InnerException=.

In the entry above, the AD Agent log shows the offending attribute as "department". Active Directory does not return the data including the specific attribute to Okta for logging.

NOTE: The examples shown in this article do not represent all possible constraint violation errors or offending attributes.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Active Directory (AD)
• Provisioning

Constraint violations occur during provisioning when the target attribute value does not meet the requirements of the attribute in the downstream application. The cause of a constraint violation must be reviewed on a case-by-case basis. In the provided example, the value that Okta writes to the AD "department" attribute exceeds the maximum allowed length defined by the AD schema.

How is a constraint violation resolved during Active Directory provisioning?

Correct the offending attribute value to meet the Active Directory schema requirements, unassign the user to clear the cached profile, and reassign the user to the provisioning group to push the update downstream.

1. Determine the requirements for the offending attribute in Active Directory, and modify the pushed value in Okta to meet them. In the example of the department attribute value exceeding the maximum attribute length, rewrite the attribute value or use an expression for the application mapping: String.substring(user.attribute,0,N) where N = Maximum length - 1.
2. Unassign the user from the provisioning group to automatically unassign the application and remove the provisioning task.
3. Reassign the user to the provisioning group to create a fresh profile with the acceptable attributes and push the update downstream to the application.

NOTE: To address any provisioning task error for Active Directory domains, remove the user from the provisioning group to clear the provisioning task. Failing to perform this action prevents Okta from clearing the cached application user profile and attempting to write to Active Directory.