This article explains why the error JIT user provisioning is disabled for this connection may unexpectedly occur during a login attempt, even when the user has already been successfully provisioned in Auth0 via the System for Cross-domain Identity Management (SCIM).

• Enterprise Connections

• Security Assertion Markup Language (SAML)

• SCIM

• User Provisioning

• Just-in-Time (JIT) Provisioning

The primary cause for the unexpected error is a mismatch between the user identifier sent by the Identity Provider (IdP) in the SAML assertion and the identifier stored in the user's Auth0 profile from the SCIM provisioning process.

During a SAML login, Auth0 attempts to locate an existing user by matching the NameID attribute from the SAML assertion to a user profile. When a user is created via SCIM, their unique user_id in Auth0 is generated based on a specific attribute from the IdP, such as externalId.

If the attribute used for the NameID in the SAML configuration is different from the attribute used to generate the user's identity during SCIM provisioning, Auth0 will fail to find the existing user upon login. Believing the user does not exist, it then attempts to create a new one using Just-in-Time (JIT) provisioning. Since JIT provisioning is correctly disabled for a SCIM connection, the system logs the error.

To resolve the identifier mismatch, the SAML connection must be configured to use the same user attribute for the NameID that was used to provision the user via SCIM.

1.  Identify the SCIM User Identifier:
   • In the IdP's SCIM application settings, determine which source attribute (e.g., objectId, mail) is mapped to the externalId attribute in Auth0. This attribute serves as the unique identifier for the user's identity in Auth0.
2. Verify the SAML NameID:
   • Use a tool to capture and inspect the SAML assertion during a login attempt. Examine the value and format of the <saml:NameID> attribute.
   • Alternatively, review the user's raw profile JSON in the Auth0 Dashboard under User Management > Users. The user_id will show the federated identity, including the unique identifier provided by the IdP (e.g., samlp|<connection-name>|<user-identifier>).
3. Align the Identifiers:
   • In the IdP's SAML application settings, modify the NameID attribute mapping.
   • Ensure the NameID sent in the SAML assertion is configured to use the exact same source attribute that is used for the externalId in the SCIM configuration. For example, if SCIM uses the objectId from Azure AD, the SAML NameID claim must also be configured to send the objectId.