AdamB.04369 (Customer) asked a question.
We have user profiles that are updated by saml attributes from a JIT SSO SAML2 integration. We have one attibute in particular which is updated as expected whenever a new value is provided. So far so good, but recently a new situation has come to light where this attribute is not being cleared in a scenario where it is not provided. It's not clear yet whether the attribute is provided with an empty value or is simply absent (we suspect the latter).
Is it possible to tell from the logs which of these situations we have?
How does the update_profile event behave in either case? We assume that if an attribute is simply absent the value remains as whatever it was last set to (as opposed to being cleared) and that if the attribute is provided but with a blank value, that the profile would be updated with the empty value. Is that the case? Is this outlined in the documentation somewhere?
Hello @AdamB.04369 (Customer) Thank you for posting on our Community page!
If the attribute has a value in Okta, and from the SAML assertion the attribute is absent or has a blank value in this case there will be no change to the attribute. What you are experiencing is indeed expected behaviour. The only way to remove the value is to manually remove the value from Okta, otherwise Okta will always retain the last value.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.