When a new user logs into our webapp, we use the Okta SDK to assign them a role in Okta based on some business logic.
First, the user is provisioned in our customer’s IDP. When they log in, we use JIT to create that user in our Okta instance so we can manage them.
We then create their user in our webapp db and assign them a role on the webapp. After doing so, we need to lookup the user by their email in Okta and assign them the same role there.
We use the Okta list users api to look up the user by their email:
String userSearchFilter = String.format(“profile.email eq "%s"”, email.toLowerCase());
oktaClient.listUsers(null, null, userSearchFilter, null, null)
This is where things go wrong. Only for SSO/SAML, the above flow I explained, the Okta SDK returns 0 results and we get the following error (from us when there are no results):
Could not find User with identifier [dan@dan.com]
If the user goes through our normal self service sign up process, registers, activates their email and logs in, we do not have this issue. Only when using JIT. Any ideas/advice would be appreciated.
A race condition doesn’t seem to be the issue - we have retry logic with some backoff that still fails to find the user by email after ~10-20 seconds. Okta logs also show that the user is created in Okta well before we attempt to look the user up by email.
When we see the error, if I hit the API using a curl command and the same filter, the user is returned so I’m not sure what the issue could be here