Okta as a SAML for AWS Cognito, how to allow existing Okta accounts without OIN approval

I am an app developer who has set up Okta as a SAML for Amazon Cognito. Okta serves as an external IdP/SAML.
Current Setup:
I manually add a user using Directory>People>Add Person
An email is sent to invite the email to join okta
The person creates their Okta account in our development sphere and can log in using Okta

Desired Setup:
An existing Okta User can be manually added OR they request access that I can then confirm and add attributes
I assign the existing user to my application
The user can now sign on, no issues, no new account

It is my understanding that to do this, I need to get my application approved by the OIN and then the OAN and placed in the Okta catalog. However, to do so, Okta requires a permanent test account that allows them access to my application. I am not interested in Okta having permanent access to my application, nor temporary access given that my application work with PHI and I do not want to open a new loophole for risk (see Okta’s recent security breach).

Is there any way I can reach my target scenario without going through the OIN and OAN / permanent account requirements?