Unable to find SSO/SAML user by email using Okta SDK on login

When a new user logs into our webapp, we use the Okta SDK to assign them a role in Okta based on some business logic.

First, the user is provisioned in our customer’s IDP. When they log in, we use JIT to create that user in our Okta instance so we can manage them.

We then create their user in our webapp db and assign them a role on the webapp. After doing so, we need to lookup the user by their email in Okta and assign them the same role there.

We use the Okta list users api to look up the user by their email:

String userSearchFilter = String.format(“profile.email eq "%s"”, email.toLowerCase());
oktaClient.listUsers(null, null, userSearchFilter, null, null)

This is where things go wrong. Only for SSO/SAML, the above flow I explained, the Okta SDK returns 0 results and we get the following error (from us when there are no results):

Could not find User with identifier [dan@dan.com]

If the user goes through our normal self service sign up process, registers, activates their email and logs in, we do not have this issue. Only when using JIT. Any ideas/advice would be appreciated.

A race condition doesn’t seem to be the issue - we have retry logic with some backoff that still fails to find the user by email after ~10-20 seconds. Okta logs also show that the user is created in Okta well before we attempt to look the user up by email.

When we see the error, if I hit the API using a curl command and the same filter, the user is returned so I’m not sure what the issue could be here

The issue seems to be related to eventual consistency in Okta’s system after Just-In-Time (JIT) provisioning.

  • Implement a delay and retry mechanism after the JIT provisioning occurs. This gives Okta’s system time to fully process the new user.

Few points to consider:

  • Instead of using the List Users API, try using the Get User API with the user’s email as the login parameter. This might be more reliable for newly created users.

  • After JIT provisioning, check the user’s status before attempting to look them up. Wait until the user status is “ACTIVE” before proceeding with the role assignment.

  • Set up a webhook in Okta to notify your application when a user is fully created and activated. This way, you can trigger the role assignment process only when you receive the webhook notification.

  • If the issue persists, implement an exponential backoff strategy for retries. This increases the delay between retry attempts, giving more time for Okta’s system to fully process the new user.

Hope this helps!