We’ve encountered an issue in our Okta Production org related to JIT provisioning via federated SAML IdPs. Specifically, we’ve noticed that custom user attributes passed in the SAML assertion are not being updated during JIT provisioning, even though this behavior works correctly in our non-production (preview) orgs.
All configurations across environments—including profile mappings, attribute settings, and SAML integration—are fully managed via Terraform and confirmed to be identical. However, in production, custom attributes simply don’t update unless we apply a workaround.
Workaround Observed:
When we change the user profile so that the email attribute has a different value from username (login), the JIT provisioning successfully updates the custom attributes. However, this is not a desirable or semantically correct approach for our use case, as it breaks our expected identity model.
Any idea why there is such behavior? Are there any settings under the hood on Production instance?
Thanks!