I have a typical migrate-to-Okta scenario here: Okta should server the SSO solution for an already existing user base. To achieve this there is a Okta tenant with an App for authentication and the Okta Signin Widget in my application. My application also serves an endpoint compatible to Passqord Import Inline hook which is configured in the Okta tenant.
Migration plan also very basic: take all known users from my data store and push them into Okta with the Password Import Inline Hook set up as described in the docs.
Now I face a strange problem: when I try to create the Okta users via API and setup the Password Import Inline Hook I get an API error that this operation is only allowed for STAGED users. Mine are created in PROVISIONING. On user creation there is nothing special: a name, a group, etc.
In the docs I found a hint the the initial status of created users is dependent on the Okta App and it looks like my App is configured for provisioning.
Am I right with my observations?
How do I need to setup/confiure the Okta App to allow me create users in STAGED status? I could not find anything in administrative UI so far.
When you create the user, are you setting them with activate=false? This will create them in the STAGED status.
Also, what is the sequence of API calls you make that you are seeing an error related to only being able to make a call on a STAGED user? To trigger the hook, I expect that you are making an API call to create the user and trigger the hook per our docs.
I guess my problem is to try to utilize the Java client. Its buildAndCreate method creates a user without giving me the opportunity of setting up the Password Import Inline Hook. Adding this afterwards is not supported, understandable.
I “re-implemented” my scenario as CURL calls and everything works as expected. So the solution would be to use the client to mimic what I did as CURL calls or leave the Java client behind and use raw HTTP requests.