Updating a Federated JIT user with API


I configured a SAML 2.0 Identity Provider on my Okta tenant.
The IDP sends SAML Requests with few attributes, among them the user id, and the user is created JIT the normal way.

When logging, the user lands on an application (OIDC application configured in Okta).
This application finds the user from the user id received from Okta.
Then the user accesses another application through Okta : I configured a SAML Application on Okta.
Problem is, this application needs to access the user birthdate :

  • this is not provided by the IDP.
  • the date exists in the first OIDC application the user lands on.

So when the user lands on the OIDC application, I try to update the user created JIT in Okta with an Okta API. I created an API Token with super admin rights to do so, but I get a 403 error.

Is it forbidden to update by API a Federated User created JIT, or do I do something wrong?


Hello @joelbloch,

You can update attributes depending on the profile source for the user for the target attributes (or whole profile).
If the IDP is a profile source, attributes sourced by it have to be changed from the iDP.
In your case, you could create the birthdate as an Okta sourced attribute.

Thank you

1 Like

Hello @Regis, thanks for your answer. Is there a way to add an “Okta source attribute” in an idp profile, and source it after the JIT provisioning?

The birhdate can be set only after the JIT proviisoning in my case, because only the upstream app knows it and is reached after the JIT.

Hi Joelbloch,

I’m taking a guess here, but if the OIDC app is a SPA it can’t use an API token. In the app integration at Okta go to the “Okta API Scopes” tab and grant “okta.users.manage.self”. When you authenticate with OIDC you’ll get an Okta API access token for the user. Then you can make an Okta API call with the access token in the header and update the birthdate. Of course you have to add a property in the Okta profile for birthday, let’s call it “birthDate” :slight_smile: You can make it any data type you want (ISO date as a string, int number of seconds from the Unix Epoch…)

As far as the second SAML app goes: in the application integration on the General tab you can add any attributes you want to the SAML assertion. You can use the Okta expression language to pull the birthday directly from the user profile with “user.birthDate”. And if you need to transform it for the app, this is another place you can do it with the expression language.

1 Like