This article's use case involves sending custom attributes over a Secure Assertion Markup Language (SAML) assertion from the hub to the spoke in an Org2Org federation.

When the Org2Org is already configured and working.

1. Go to Security > Identity Providers in the Admin Console.
2. Select the IdP used for the Org2Org federation.
3. Select Edit profile and mappings.
4. Select the add attribute and enter the custom attribute that needs to be created.

After the above is completed, the user will try to log into the spoke org. This event and an associated error will be found in the System log:

eventType eq "user.authentication.auth_via_IDP" and legacyEventType eq "core.user_auth.idp.saml.unknown_profile_attribute"

The error will show Unknown Profile Attribute, and a schema mismatch event will be observed. 
 

• Org2Org
• Security Assertion Markup Language (SAML)

The external name is not set on the custom variable(s), which causes a schema mismatch and unknown profile attribute errors in the system log. 

• This error can present itself in several different use cases. For example, an admin could create these custom attributes using Terraform or one of the Okta SDKs, etc.
• This is the event log for the test attribute that needs to be created in Profile Editor on the target org.

• This specific use case applies to Okta Identity Engine (OIE) but can also happen in Classic. An Org2Org setup is unnecessary for this error to occur, but the solution is the same. 
• This error is often caused by not setting the external_name of the custom attribute(s). The field below will show if an attribute is added to the IdP profile. It will auto-populate whatever is input into the variable name field. The external name can be edited on this screen. However, if the attribute is saved and does not supply an external name, it cannot be edited within the UI afterward. Additionally, if APIs are used to create these custom attributes, the external name will only be set if it is included in the payload. 

Update the external name for the custom attributes using the API. This will have to be done from within a specific app, such as Terraform. If the custom attribute needs to be updated within the Admin dashboard UI, delete it and add it again, ensuring the external name is set. If it is already set, the external name may be misspelled, or the case may be wrong.