Okta SSO/SCIM email mismatch (original) (raw)

Claude uses email as the primary identifier to match SSO logins to provisioned seats. In Okta, SCIM provisioning and SSO are configured separately and can pull email from different user profile fields. This guide explains how to identify and resolve the mismatch.

Symptoms

People may experience one or more of the following when attempting to access your organization via SSO:

How this happens

Okta user profiles contain multiple fields that represent identity. SCIM provisioning (under Provisioning → To App) and SAML/OIDC SSO (under Sign On) are configured independently.

A common mismatch: SCIM uses user.login while SAML sends user.email. Claude requires an exact string match.

Common confusion: Okta's SCIM attribute mappings and SAML attribute statements live in two different tabs — Provisioning → To App for SCIM, and Sign On for SSO.

Diagnostic steps

Step 1 — Confirm the mismatch

Step 2 — Identify the scope of the problem

Step 3 — Verify Okta user profiles directly

Resolution

Align both mappings to the same Okta field

The safest fix is to use user.email for both SCIM and SSO, as this field contains the canonical email address in Okta.

Force a full re-sync

Critical — Full sync required: An incremental sync will not update existing records after you change an attribute mapping.

Post-fix cleanup

After correcting the attribute mapping and completing the full sync:

Verification

After completing the fix and any cleanup:

Common issues

When to contact Support

Contact our Support team with your organization's domain, the affected person's email, and attribute mapping screenshots when:

Related Articles

Google Workspace SSO/SCIM email mismatchMicrosoft Entra ID SSO/SCIM email mismatchOneLogin SSO/SCIM email mismatchPing Identity SSO/SCIM email mismatchOkta SSO setup