Update Okta profile master by another system errorCode: E0000023

Question

We have an Okta instance that is tied to Active Directory. All users are created in AD and fed into Okta. The profiles are mastered by AD. We had added several custom attributes to the Okta profile and would like to update them via the Okta API. These are custom fields that are not mapped from AD. In all attempts when we try to update via API we get

{"errorCode":"E0000023","errorSummary":"Operation failed because user profile is mastered under another system"}

Does anyone know if this is possible? Contacted Okta support and read all the docs and it seems like it's possible but can't find anything that indicates how to configure the custom attributes to be writable from another source.

score 1 · Answer 1 · answered Feb 13 '21 at 01:58

I ran into this same issue when I was configuring my Okta tenant (also integrated with Azure Active Directory).

Here's what worked for me:

 var oktaDomain = _configuration["Okta:Domain"]?.ToString();
 var oktaPrivateKey = _configuration["Okta:ApiKey"].ToString();

 if (string.IsNullOrEmpty(oktaDomain) || string.IsNullOrEmpty(oktaPrivateKey))
    throw new NullReferenceException("oktaDomain or oktaKey must be present");

 var client = new OktaClient(new OktaClientConfiguration
 {
    OktaDomain = oktaDomain,
    Token = oktaPrivateKey
 });

 var currentUser = await client.Users.GetUserAsync(userId);
 if (currentUser != null)
 {
    currentUser.Profile["custom_attribute"] = myCustomAttribute;
    await currentUser.UpdateAsync();
 }

I should also note, that this will not be the end of your difficulties with updating custom profile attributes. If the claim mappings aren't configured correctly, you'll find that your profile attribute will initially be updated.

However, when a user signs back in, the value will revert back to what was mapped from Azure AD (usually blank).

To ensure the value actually persisted, you'll need to head to your Okta Profile Editor, for your Azure Active Directory profile, choose to edit the mappings. Then, make sure that your custom attributes are mapped as follows:

Azure Active Directory To Okta User: appuser.custom_attribute > custom_attribute
Okta User To Azure Active Directory: user.custom_attribute > custom_attribute

For Example:

I hope this helps, it was challenging to sort this out when I ran into it.

score 1 · Answer 2 · edited Mar 11 '22 at 15:31

1

I am encountering the same issue. After some testing, the change of the following profile configration seems to work at least on a small set of users. Edit the source priority for the attribute. Open Profile Editor -> Search your attibute

edited Mar 11 '22 at 15:31

ouflak

2,458
10
44
49

answered Mar 11 '22 at 09:01

Gael Thiabaud

11
1

This does not really answer the question. If you have a different question, you can ask it by clicking [Ask Question](https://stackoverflow.com/questions/ask). To get notified when this question gets new answers, you can [follow this question](https://meta.stackexchange.com/q/345661). Once you have enough [reputation](https://stackoverflow.com/help/whats-reputation), you can also [add a bounty](https://stackoverflow.com/help/privileges/set-bounties) to draw more attention to this question. - [From Review](/review/late-answers/31264525) – Ethan Mar 15 '22 at 02:45

Update Okta profile master by another system errorCode: E0000023

2 Answers2