gayeongs.08190 (Customer) asked a question.
Hi everyone,
We are using a SAML IdP in Okta, with JIT and automatic group assignment enabled.
The IdP Routing Rule is configured based on domain.
For example, if the routing rule only includes the domain 'oktaus.com', users with the domain 'oktakr.com' should not be routed to this IdP, and therefore authentication and JIT user creation should not occur.
However in our environment, users with the 'oktakr.com' domain are still being authenticated through this SAML IdP, are JIT-provisioned in Okta, and are assigned to the configured group. (I saw on System Log)
What additional areas should I check to understand this behavior?
Are there scenarios where users can be routed to a SAML IdP even if their email domain is not explicitly defined in the IdP routing rule?
Thank you.
Hi @gayeongs.08190 (Customer) Try to set up explicit rules for each domain.
Also, if you are using the "AND User matches" - "Domain list on login" - option, check for any spelling mistakes or maybe empty spaces that might make the routing rule to misfire/exclude users. (specifies a list of the domains to match (without the @ sign); for example, mytest.com)
Maybe try the other option based on user attributes as well, to see if that works the way you need it. There, you will need to configure the syntax with the @ sign. For example:
If none of that works, I strongly recommend opening a case to work with a dedicated resource from the Okta Support team who can set up a meeting with you to go over your implementation and help you get to the bottom of things.
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added
Join the discussion for our Ask Me Anything on January 20, 2026: Adoption of Stronger Authentication MFA. Ask our expert questions.