Saving inbound federated IDP details as a user attribute during JiT provisioning of user

Is there way when accepting auth from a user using a federated IDP (inbound fed) which triggers a JiT provisioning process to save some details regarding the IDP used into a user attribute ? Which can then be used for a look up later.

I know we could assign the user into an IDP marked group upon the JiT process and then in profile mapping’s, use the Okta expression language to map an attribute based upon group membership. However, as the attributes will be pulled directly from the users Okta profile via the api sometimes, it’s not possible to map to an Okta attribute. We could use the above to map to the attribute being passed inside an OIDC JwT but this would then only be passed during the sign on process and not during a nightly sync task for instance.

Is there a way this could be made easier ?



I might be totally off here, but I believe this is attribute-level mastering in Okta.

Does this feature help you out?

Unfortunately, not what we are looking for.

We want Okta to automatically set an attribute value based upon the IDP the sign on came from.

Currently we are setting the user into a grouo based on source IDP used for the authentication, and then using this to map an attribute further downstream.

However, if we want to pull this via the api, we have to pull both the profile and group memberships for the user, doubling the number of api calls.

Being able to set an attribute based upon the IDP would be the preferred approach if possible.