• Public

Integrations

Skip Feed

  1. MuneebA.78958 (Customer)

    June 15, 2026 at 10:00 AM

     

    Issue Summary

     

    We are setting up single sign-on (SSO) for an AWS application using the Okta AWS Account Federation app via SAML 2.0, but the SAML assertions are failing. There are two primary

    issues:

    1. Role Mapping Failure: The Role attribute is sending the raw variable string appuser.idpRolePairs instead of resolving into the actual AWS Role/Provider ARN pair.
    2. Malformed Recipient URL: The Recipient URL is generating as [https://signin..com/saml](https://signin..com/saml) (missing aws), despite the ACS URL being explicitly set to the standard AWS sign-in endpoint.

     

    We need guidance on fixing the attribute mapping behavior and getting Okta to successfully resolve the AWS roles.

     

    Full Details

     

    Hi everyone,

     

    We need assistance with configuring Okta AWS Account Federation for AWS / Amazon Quick Desktop SSO.

    We are trying to configure Okta as the identity provider for AWS federation so users can access the application through SSO.

    Current setup details:

    • Okta tenant: https://[YOUR_OKTA_TENANT].okta.com
    • AWS Account ID: [AWS_ACCOUNT_ID]
    • AWS IAM SAML Provider ARN: arn:aws:iam::[AWS_ACCOUNT_ID]:saml-provider/Okta
    • AWS IAM Federation Role ARN: arn:aws:iam::[AWS_ACCOUNT_ID]:role/OktaQuickFederationRole
    • Okta application: AWS Account Federation / Amazon Quick
    • Test user: [USER_EMAIL]

    We have already completed the following:

    1. Created an Okta AWS Account Federation application using SAML 2.0.
    2. Created an AWS IAM SAML identity provider named “Okta” using Okta metadata.
    3. Created an AWS IAM role named “OktaQuickFederationRole”.
    4. Updated the IAM role trust relationship to allow AssumeRoleWithSAML from the Okta SAML provider.
    5. Added the Identity Provider ARN in Okta Advanced Sign-on Settings: arn:aws:iam::[AWS_ACCOUNT_ID]:saml-provider/Okta
    6. Set AWS Environment to Regular AWS.
    7. Set ACS URL to: [https://signin.aws.amazon.com/saml](https://signin.aws.amazon.com/saml)
    8. Enabled “Join all roles”.
    9. Assigned the test user/group to the Okta AWS Account Federation app.

    The IAM role trust policy currently looks like this:

    JSON

     

    {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Effect": "Allow",

    "Principal": {

    "Federated": "arn:aws:iam::[AWS_ACCOUNT_ID]:saml-provider/Okta"

    },

    "Action": "sts:AssumeRoleWithSAML",

    "Condition": {

    "StringEquals": {

    "SAML:aud": "https://signin.aws.amazon.com/saml"

    }

    }

    }

    ]

    }

    However, the SAML assertion generated by Okta is still not correct.

    Current incorrect SAML output from Okta preview:

    Expected SAML output should be:

     

    Because the Role attribute is not resolving to the real AWS role/provider ARN pair, AWS rejects the login with an invalid SAML response error.

     

    The main issue seems to be that Okta is not resolving appuser.idpRolePairs into the actual AWS role pair. Also, the Recipient URL is malformed as [https://signin..com/saml](https://signin..com/saml), even though we selected Regular AWS and set the ACS URL to [https://signin.aws.amazon.com/saml](https://signin.aws.amazon.com/saml).

     

    Can you please help us confirm the correct configuration for the Okta AWS Account

     

    Federation app so that:

     

     

    Please also confirm whether we should use role import/provisioning, group mapping, or direct assignment for this AWS Account Federation app to ensure the attributes map dynamically.

    Regards,

     

    Expand Post
    • 2 comments
    • 5 views
    MuneebA.78958 likes this.
    1 of 2

    • Paul S. (Okta, Inc.)

      Hello @MuneebA.78958 (Customer)​ Thank you for posting on our Community page!

       

      From all the information you provided the only thing that I currently see that might be a potential mistake seems to be the ACS URL which should be left blank.

      In Okta you only need to add the Identity Provider ARN and for the ACS URL you should leave that blank.

       

      The root cause of the Role attribute showing the raw string appuser.idpRolePairs and the RoleSessionName showing userName is typically a misconfiguration in either the SAML Attribute Statements or, more commonly, the user/group assignment profile within the Okta application.Role Mapping (appuser.idpRolePairs not resolving)

       

      The field appuser.idpRolePairs is an internal attribute that is expected to be resolved when a user or group is assigned a role in the application profile. When it appears raw in the SAML assertion, it means the assigned value is missing.

       

      Action to Confirm:

      • Navigate to the Assignments tab for the "AWS Account Federation / Amazon Quick" app.
      • Find the test user or group assigned. Click the pencil icon to edit the assignment.
      • In the assignment profile, confirm that the SAML Role field is explicitly set to the concatenation of the AWS Role ARN and the SAML Provider ARN, separated by a comma, which is the required AWS format.

       

       

      Thank you for reaching out to our Community and have a great day!

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Expand Post

  2. JinhaH.69195 (Customer)

    June 9, 2026 at 9:37 AM

    My company is using Github Enterprise Managed User App to make developer's managed github accounts. (here's the app link https://www.okta.com/integrations/github-enterprise-managed-user/)

    But lately we can't make any more accounts through provisioning.

    We've already made 3 accounts through provisioning. However It dosn't work anymore.

    Here's what I've checked already.

    1. app setting -> provisioning -> create users : enabledimage.png
    2. accounts that created through provisioning before.스크린샷
    3. system logs. Adding new account makes log, provisioning doesn't (probably never happens).

     

    Could someone help us identify why new users are no longer being provisioned to GitHub Enterprise Managed Users?

     

    Specifically, we would like to know whether there is any issue with our SCIM/API token, app configuration, user assignment, or GitHub Enterprise Managed User provisioning status.

     

    Please let us know if you need any additional logs, screenshots, or configuration details from our Okta admin console.

    Expand Post
    • 1 comment
    • 16 views

    • Paul S. (Okta, Inc.)

      Hello @JinhaH.69195 (Customer)​ Thank you for posting on our Community page!

       

      Based on the behavior you are describing—where the Okta System Logs show the user being assigned to the application but no provisioning logs are generated and the user never appears in GitHub—the issue usually lies in Okta silently queuing a failed task or a broken API connection that Okta has stopped attempting to push through.

      Since you've already verified that "Create Users" is enabled and past users worked, here are the most likely culprits preventing new GitHub Enterprise Managed Users (EMU) from provisioning, along with exactly what you should check:

      1. Check Okta Dashboard "Tasks" for Silent Errors

      When Okta attempts to provision a user and the downstream application (GitHub) rejects it, Okta doesn't always flag this loudly in the standard System Log. Instead, it stops attempting the sync and generates a task.

      • What to check: In the Okta Admin Console, navigate to Dashboard -> Tasks.
      • What to look for: Look for any failed provisioning tasks for your GitHub EMU application. You will likely see the exact error message here. Common errors include "License Limit Exceeded" or "Error authenticating: Forbidden".

       

      2. Expired or Invalid SCIM API Token (PAT)

      GitHub EMU requires a Personal Access Token (PAT) generated by an Enterprise Owner to power the SCIM connection. If the user who originally set up this integration had their permissions changed, left the company, or if the token was set to expire (e.g., 30 or 90 days), the SCIM connection breaks. Okta will log the assignment but won't be able to initiate the provisioning push.

      • What to check: Go to Applications -> [Your GitHub EMU App] -> Provisioning -> Integration and click Test API Credentials.
      • How to fix: If it fails, log into GitHub Enterprise as the Setup User (Enterprise Owner), go to Developer settings -> Personal access tokens, and generate a new token with the admin:enterprise scope and No expiration. Enter this new token into Okta.

       

      3. GitHub Enterprise License/Seat Limits Reached

      You mentioned you successfully provisioned exactly 3 accounts. If your current GitHub EMU billing plan or trial only has 3 available seats, GitHub will reject any new SCIM user creation requests with an HTTP 400/403 error ("The organization has no available seats").

      • What to check: Check your GitHub Enterprise billing/licensing page to ensure you have available seats for the new developers. If seats are maxed out, Okta will drop the provisioning requests into the Tasks queue.

       

      4. App Assignment Status "Red Exclamation Mark"

      If a user is assigned to an app via a group, but the provisioning fails, Okta will flag the individual assignment.

      • What to check: Go to the Assignments tab of the GitHub EMU application in Okta. Search for one of the new users. Do they have a red exclamation mark (!) next to their name? If so, click it—this will reveal the specific application error. You can also click the Provision User button manually from here to force Okta to try again and generate a fresh log.

       

       

      Thank you for reaching out to our Community and have a great day!

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Expand Post

  3. avshch likes this.

  4. IvanV.46641 (Customer)

    February 6, 2026 at 3:36 PM

    Hi, some customers of our integration are not able to enable SCIM user updates. The option doesn't show up for them. First is a screenshot of what they should be seeing:

    imageBut here's what they're actually seeing (no "Update User Attributes" settings):

    imageThis is only for a few customers. What could we do to help them?

     

    Expand Post
    • 1 comment
    • 28 views

    • Paul S. (Okta, Inc.)

      Hello @IvanV.46641 (Customer)​ Thank you for posting on our Community page!

       

      This would not the correct channel to troubleshoot this matter. If you have an application in our catalogue we recommend to reach out to our OIN team at oin@okta.com.

       

      Thank you for reaching out to our Community and have a great day!

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Expand Post

  5. 1 of 2

  6. MosherS.00203 (Customer)

    June 30, 2025 at 6:05 PM

    Zendesk <-> Okta integration issue/question

    (unable to post this to the questions area for some reason)

     

    We have an issue with the Zendesk -> Okta integration where, when Okta refreshes an Agent profile (for any reason), users who are assigned multiple Orgs in Zendesk are reset back to the default set in the Okta app provisioning profile. This subsequently removes previously selected orgs from tickets, leading to significant re-work and data quality issues for reporting. To that end, I have the following questions:

     

    • Are there any plans for Okta to support multiple orgs in the Zendesk integration?
    • Is it possible to tell the integration to only push data which is updated on an Agent profile when pushing to Zendesk instead of pushing all data to the Agent profile (which does the reset)?
    • Does anyone have experience with a custom Okta app communicating with Zendesk instead of the built-in one?

     

    Thank you all!

    Expand Post
    • 1 comment
    • 52 views

    • Paul S. (Okta, Inc.)

      Hello @MosherS.00203 (Customer)​ Thank you for posting on our Community page!

       

      • Are there any plans for Okta to support multiple orgs in the Zendesk integration?

      I have checked this but I was unable to find any specific data about it. Nothing to indicate this on a road map.

      • Is it possible to tell the integration to only push data which is updated on an Agent profile when pushing to Zendesk instead of pushing all data to the Agent profile (which does the reset)?

      You can remove attributes from the Provisioning table, but this will apply to all users. At this time provisioning will be all or nothing.

      • Does anyone have experience with a custom Okta app communicating with Zendesk instead of the built-in one?

      To create a custom application with Provisioning for Zendesk you might need to work with both Okta Support and Zendesk Support to see if this is possible and to see if this can be done.

      I would recommend to open a case with Okta Support and discuss with an Okta engineer and see if there are other options here.

       

      Thank you for reaching out to our Community and have a great day!

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Expand Post

  7. Christina.J (Customer Support Online Community and Social Care)

    June 9, 2025 at 10:19 PM

    New Okta Learning Badge: Manage BYOD via Identity-Aware Integration

    Transform your organization's mobile security landscape by implementing platform-specific BYOD strategies that leverage Okta's identity-first approach to protect both corporate data and user privacy. Plus, earn an Okta Skill Badge after completing the path! That's what I call a win-win!

    Learn more.

    • 54 views

    • User17157611498146715886 (Customer Support Online Community and Social Care)

      Hello @AmareshS.36564 (Customer)​ , thank you for contacting Okta Community.

       

      There are currently a few versions of the New Relic application available in the Okta Integrated Network. To add one to your org, from the Admin Dashboard, go to Applications, under Applications, and click to Browse App Catalog. Use the search bar to look up New Relic.

      Screenshot 2025-04-21 at 19.00.08Once you choose one of the apps, review its detailed description, then Add Integration. Once you add the application to your org, you will land on its page.

      If you want to see the SAML instructions, on the SSO tab, on the right side, you can find the instructions document.

      Screenshot 2025-04-21 at 19.05.49This should provide you with all the information you need (from Okta's side) to complete the integration. You may need to consult a guide or article from the New Relic company on how to integrate their app.

       

      Regards. 

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Collect them all. Learn a new skill and earn a new Okta Learning badge.

      Expand Post

End of Feed
8 Chatter Feed Items