KrisztianS.58271 (Customer) asked a question.
Fate of IdP JIT-provisioned users after IdP removal
I'd like to ask your assistance in understanding what happens with IdP JIT provisioned users after the IdP gets removed.
As per the docs, I see that the account link gets removed yet the provider remains 'SOCIAL' for such users.
Does this mean that for such users the only chance of logging in after IdP removal is via another IdP that through the account linking rules matches the user in question? Is there any way to reset the provider from 'SOCIAL' to 'OKTA', thereby reconfiguring the user record to allow normal Okta-managed login?
Hello @KrisztianS.58271 (Customer) Thank you for reacting out to our Community!
If you have removed the IDP, you should also remove the routing rule to be sure the user in not sent to and IDP that no longer exists. Also, you should consider doing a password reset for the users because they do not have an Okta password and they will not be able to authenticate.
If the provider still remains SOCIAL, that should not be a problem because they will be Okta mastered moving forward.
Hope this helps.
Community members help others by clicking Like or Select as Best on responses. Try it today.
Hi,
Thanks for your reply! As per this article (https://support.okta.com/help/s/article/Problem-Password-reset-does-not-work-with-users-created-via-social-logins-Google-Facebook-etc?language=en_US) I got the impression that users created via an external IdP JIT (i.e. those having provider SOCIAL) cannot have their password reset.
Does this picture change then when the IdP gets removed? Example flow:
Thanks for helping me clarify this functionality!
That scenario does not include the fact that the IDP is no longer the source identity for the user. In this case users will be Okta mastered and will be able to reset their passwords.