Currently i have an OIDC connection setup in my okta dev account.
I am having issues with JIT mapping of firstName and lastName fields corresponding to okta.
The flow goes as: If a user exists in both Okta and my IdP, the user is able to login without any trouble. The problem arises when a new user is trying to login. The JIT user provisioning has been enabled and the mapping for email, firstName, lastName, displayName etc are all set.
It shows 400 Bad Request error on the screen. Unable to create the user. The following required properties are missing: “firstName, lastName”.
Error Code: “jit_failure_missing_fields” .
Played a lot with the mapping options but the firstName and lastName just don’t seem to map the first and last name coming from my idp.
I understand the challenge you’re facing with JIT (Just-In-Time) provisioning and the missing firstName and lastName properties. Let’s troubleshoot this issue:
Mapping Configuration:
Ensure that your OIDC (OpenID Connect) mapping configuration correctly maps the firstName and lastName attributes from your IdP (Identity Provider) to Okta.
Verify that the attribute names match exactly between your IdP and Okta.
IdP Attributes:
Confirm that your IdP is actually sending the firstName and lastName attributes during authentication.
Check your IdP logs or configurations to ensure these attributes are included in the OIDC response.
Okta Required Attributes:
Okta requires certain attributes (like firstName and lastName) to create a user profile during JIT provisioning.
Make sure your IdP is providing these attributes in the OIDC response.
Malformed Fields:
Okta has added additional validation to guard against invalid misuse of the firstName and lastName fields.
Ensure that the values returned by your IdP conform to valid formats (e.g., no URLs or HTML tags).
Test with Existing User:
To isolate the issue, try creating a new user manually in Okta (without JIT provisioning).
Confirm that the firstName and lastName attributes are correctly set for this user.
Remember, JIT provisioning relies on accurate attribute mappings and data from your IdP. Double-check these settings to ensure successful user creation!
I’ve tried all of this. Somehow it still doesn’t work. Can you elaborate on the “invalid misuse” of the fields part of the logic that you’re doing on your end? Also wanted to know if there is any way I can see the JWT response coming from the OIDC provider? That will make me understand better if the issue is on Okta’s side processing the response or from my OIDC provider.
That error would imply that Okta did not receive the a first name or last name for the authenticating user, which is required for User creation on our side.
Is this an OIDC IdP then? If so, what scopes are configured in Identity Provider (created on the Okta side) for Okta to request? Does it include the profile scope (this would ensure that the given_name and family_name claims are returned by an OpenID Connect provider)?
If this scope is already being requested, can you confirm whether or not you have provided Okta a “Userinfo endpoint” as part of the IdP configuration?
If you have one listed, can you try removing it to see if the behavior changes?
If you do not currently provide a Userinfo endpoint but your provider supports it, can you try adding it instead?