d9gyy (d9gyy) asked a question.
Hello,
I am stuck for many days on what I think is a very common case: I want to use Azure AD as an SAML IdP, and Okta SP, to access an application.
I followed the documentation and checks many times all my settings. I keep having the error Unknown Profile Attribute in the Okta System Logs.
I created an Enteprise Application in my Azure AD subscription, and configured SAML claims.
Then I created an external Identity Provider and provisoned those variables, with the corresponding external names, and adjusted the mapping.
I defined the following custom variables :
Variable details : (I adjusted the external names the same way for all variables)
Here is the mapping :
I configured the endpoints, audiences, certificate correctly.
I use the "Test SSO button" on Azure AD :
I am redirected toward Okta, then toward Azure when I log in, then back to Okta with the following error:
When I check the system logs, I get this :
But when I debug the SAML Claims in my browser developer tools, I can see that all mapped custom variables are there :
What am I missing?
Thanks !
Hello @d9gyy (d9gyy) Thank you for reacting out to our Community!
The problem here might be the Username mapping and IDP username in the IDP setup. Could you try using idpuser.subjectNameId in the IdP setup and appuser.subjectNameId in the mappings setup, and see if there is any difference?
Also you might want to expand the System Log to see what attribute is not accepted.
Also make sure you have setup a Routing Rule for the IDP, for this please see this:
https://help.okta.com/en-us/Content/Topics/Security/Identity_Provider_Discovery.htm
The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.
Hello,
I forgot to mention that I already created a rule, as follow:
I changed the IdP configuration and mapping as you suggested, as followed (I include screen captures for you to validate if it is valid) :
There is something strange in the following expanded log though:
Also, the ID of the app user seems unknown, but I don't know if it is normal at that stage:
=> I am still stuck! Can you help me?
Thanks,
Joel
I still need to understand why not all the claims are received or processed by Okta.
Hello @d9gyy (d9gyy) In this case you need to make sure that the user's e-mail are with onmicrosoft.com domain, because if not then that could be the issue.
Hello,
I did some tests and I still got the same errors:
I still get the same 400 and Unknow Profile Attribute. But I DONT HAVE IT when on Okta, I mapped the subject name Id to all the appuser attributes (firstname, lastname, email, login).
Does it give you a hint?
Where in the system log I can pinpoint the exact debug message which would lead me to understanding what is going on?
Regards,
Joel Bloch
Hello, I am still stuck with this problem, how can you help?
Regards,
Joel Bloch
We have a similar issue. Did someone solved ?
I too am running into the same problem. Any resolution on this?
Thanks, Anson
First find out if adding the user in okta will still give this error. If not than the mapping (which is used for JIT) was the problem for me . The email field is the culprit! Change the mapping:
appuser.SubjectNameId -> login and appuser.SubjectNameId -> email
Hi @6ob93 (6ob93). I have the same configuration but I am still getting an error.