SiemelN.42794 (Customer) asked a question.
Hi. My setup is like this:
(1) I am using OKTA as an identity provider
(2) There is an OpenId connect app.
(3) There is an identity Provider.
Now in the IDP there is a user U1. This user does not exist in OKTA. Then go the URL of the OpenId connect app which is like
https://dev-<number>.oktapreview.com/oauth2/v1/authorize?idp=<IDP id>&client_id=<OpenId client_id>&response_type=code&response_mode=fragment&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A<port>%2Fcallback&state=12345
Log in. The user U1 gets created in OKTA. But the browser shows them an error that user is not assigned to the client application. I.e the URL is like http://localhost:<port>/callback?state=12345&error=access_denied&error_description=User+is+not+assigned+to+the+client+application.
If I go to the OpenId app in OKTA and manually assign U1 to the OpenId Connect app, then they can log in.
But the thing is, is there a way to assign the new user U1 to the OpenId Connect app automatically when the user logs in for the first time?
Hello Siemel,
It might be doable possibility through group rules, if the account has a certain attribute for it to be assigned automatically to a group. The group being assigned previously to the app.
However it will be best to open up a ticket with Okta to be able to have a meeting and see this behavior, possibly to also reproduce the issue to have a better understanding.
Veniamin-Dorin Melnic
Technical Support Engineer