<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ00000jfgRi0AIOkta Classic EngineSingle Sign-OnAnswered2025-05-20T16:50:01.000Z2025-05-20T04:49:49.000Z2025-05-20T16:50:01.000Z

StoinisM.81504 (Customer) asked a question.

May 20, 2025 at 4:49 AM
SAML Federation with Entra ID — "Unknown Profile Attribute" and "Unable to JIT" Errors

I'm trying to integrate Okta as the SP and Entra ID (Azure AD) as the IdP using SAML. The authentication reaches Entra and successfully returns, but the user isn't getting created in Okta — JIT provisioning fails.

In the Okta system log, I see two recurring errors:

  • Unknown Profile Attribute
  • Unable To JIT

I've already added the required SAML claims in Entra:

  • NameID is set to user.userprincipalname with the format emailAddress
  • Additional claims: email, firstName, lastName, and login (all mapped from Entra attributes)

 

JIT provisioning is enabled

Still, I get the same error every time a user tries to log in via Entra. I even used SAML Tracer to confirm that all the attributes are present in the assertion, including login.

Any idea what attribute Okta is complaining about? Or is there something I missed in the profile mapping?

  • 1 answer
  • 322 views

  • Mihai N. (Okta, Inc.)

    Hi @StoinisM.81504 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    I would start with this article.  

    I've also seen a reported issue where the UPN attribute was created in Okta, however it was linked with the nameidentified claim, so they updated the Okta IDP profile mapping to map the subjectNameid instead of the UPN.  

    Another report mentioned that the issue was caused by "created new user" not being enabled. So under your IDP configuration check for " If no match is found > Create new user (JIT) " 

     

    If you continue having issues with the implementation, please open a case to work with my colleagues from the Support Team to investigate this further. They'll be able to access additional tools and resources to help you get to the bottom of it.  

     

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Collect them all. Learn a new skill and earn a new Okta Learning badge.

    Expand Post
This question is closed.
Loading
SAML Federation with Entra ID — "Unknown Profile Attribute" and "Unable to JIT" Errors