Troubleshoot provisioning

Learn how to troubleshoot provisioning issues for new and existing SSO-enabled app integrations. To view errors that occurred during the provisioning process, select DashboardTasks on the Okta Admin Console.

Insufficient account permissions on the account used to setup the API configuration

Description

Provisioning has failed. From the DashboardTasks page in Okta, you see the following error: "Automatic provisioning of user John Doe to app Salesforce.com failed: The credentials used to connect to the API were invalid; please check your configuration".

This could be due to the third-party admin account reaching a password expiration, or the password was changed and not updated in Okta. It could even be that the third-party admin accounts username was changed or the account has been disabled.

Solution

Check that the third-party admin account used to set up the provisioning function within Okta is still valid and can be used to sign in to the third-party application directly. If the account works, make sure to re-enter the account info into the Integration section of the Provisioning tab for your app integration in Okta. If you can't sign in using that account, use another admin account (if applicable) to sign in to the third-party application and check on the original admin account. Fix any issues found with that account (password reset, username changed, account expired) and then re-enter the updated information in the Provisioning configuration section.

API configuration was successful, but the option to create, update, and deactivate users was not activated

Description

Provisioning has failed. From the "Tasks" page (DashboardTasks) in Okta,you see the following error: "Automatic provisioning of user John Doe to app Salesforce.com failed: Matching user not found."

This can happen if you enable the provisioning feature by setting up the app integration and click Save, but then forget to turn on the create, update, and deactivate users options. This error message tells you that the Create user option is not on, as the error message states that it was unable to find a user in the Salesforce application that matches this user, and therefore it could not assign the app integration. If the Create user option is turned on, Okta would create a new user in Salesforce after it found no matching user existed, and assignment would succeed.

Solution

Ensure that in the Provisioning tab of your app integration, for the To App setting, you click Edit and enable Create Users, Update User Attributes, and Deactivate Users options.

Insufficient licensing

Description

Provisioning has failed. From the "Tasks" page (DashboardTasks) in Okta, you see the following error: "Automatic provisioning of user John Doe to app Salesforce.com failed: License Limit Exceeded."

This issue occurs when you assign a user to an app integration and attempt to grant the user a role or licensing level that you do not possess.

Solution

Ensure that sufficient licensing exists prior to user assignment. If you do run into this issue, obtain the required licensing and simply click Retry Selected on the "Tasks" page after the licensing issue has been fixed.