An application has been configured as a profile source, and imports are being run from this application into Okta. Attributes on the AppUser profile are correct, but these attributes are not reflected on the Okta user profiles.
- Profile Sourcing
- Provisioning
- Okta Integration Network (OIN)
- Universal Directory
- Lifecycle Management
- User profiles and attributes
- Imports
Okta performs validation for attributes on the Okta user profile. If the attribute values coming in from the profile source do not successfully validate, the entire profile update will fail for the user in question. Common reasons for failed profile updates can include:
- The Okta Username (user.login) is already in use by another Okta User profile.
- The mapped value for the username attribute is not in an email format or otherwise contains errors (such as a space in the email).
- The mapped value for the locale attribute is not in the correct locale format (for example, the correct format is en_US).
- The mapped value for the timezone attribute is not in the correct format (for example, the correct format is America/Denver).
- A length restriction has been configured on an Okta user profile attribute, and the mapped attribute is either too long or too short.
- A null value is being passed to a required Okta attribute (username, email, first name, or last name). As these attributes are required, a null value does not meet validation, and an error occurs.
In the Okta System Logs, use the following log query to identify profile update attempts that failed due to validation errors. This System Log query is below. This query will list all users with profile updates that failed from a configured profile source:
eventType eq "app.user_management.update_from_master_failed"
Expand a specific event and review the DebugData section. This section contains the ErrorCode, which identifies the reason for the failed profile update, and the ErrorField, which identifies the attribute that caused the error. Some examples are listed below.
notUniqueWithinOrg- The profile update failed because the attempted username update conflicted with another Okta User profile that already has this username. The Okta username (user.login) must be unique across all Okta User profiles in the org.
platform.cvd.profile.property.constraint.violation.required- The profile update failed because a required attribute on the Okta user's profile is not present. It is possible that a null value is being passed into this attribute when it is required.
invalidLoginEmail- The profile update failed because the attribute being passed to the Okta user's login attribute was not in the correct email format.
platform.cvd.profile.property.constraint.violation.maxLength- The profile update failed because the attribute being passed to the Okta user profile did not meet the length restriction and was too long.
platform.cvd.profile.property.constraint.violation.timezone- The profile update failed because the attribute being mapped from the profile source to the Okta user's timezone attribute is not in the correct format. Okta timezones must be in the TZ timezone format.
platform.cvd.profile.property.constraint.violation.localeFormat- The profile update failed because the attribute being mapped from the profile source to the Okta user's locale attribute is not in the correct format. Valid values for the "locale" attribute are a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 2 letter country code. For example,
en_USis a valid locale format.
- The profile update failed because the attribute being mapped from the profile source to the Okta user's locale attribute is not in the correct format. Valid values for the "locale" attribute are a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 2 letter country code. For example,
To resolve this issue, review the attribute values that are coming in from the profile source and the mappings on the Okta Profile Editor and correct any potential misconfigurations in the Okta Org, the Profile Editor, the OIN application settings, or on the application side itself.
After fixing any issues, run another import and monitor for any additional errors, and check to see if the profile update completed successfully.
If attribute errors are observed in the Profile Editor and there are no observed logged error events after completing an import, request a Force Sync in the To Okta section of the Provisioning tab for the profile source integration to reconcile the profile mappings from the AppUser profile to the Okta User profile.
