SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site, support.twilio.com, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to help.twilio.com, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

Segment SSO Login Fails Due to Okta Email Mismatch

Issue

Users are unable to log in to Segment via Okta SSO, even after being successfully provisioned via SCIM. The login is safely rejected because the system does not recognize the user's account at sign-in.

 

Product

Twilio Segment

 

Environment

Segment Console

 

Cause

This issue occurs when Okta presents a split identity for the user between provisioning and login

  • During SCIM provisioning, Okta provides one userName string (email address), and Segment reserves a workspace seat for that exact string. 
  • However, during SSO login, Okta passes a different alternative email string.
     

Because Segment's authentication system relies on a strict string match of the userName provided by Okta, rather than treating the email as a backend database ID - it does not see a match for the SSO email and rejects the login.

 

Resolution

To fix this, the email string passed by the SSO app must perfectly match the userName string used by the SCIM app.
  1. Open your Okta SCIM application settings.
  2. Locate the affected user and update their userName attribute so that it exactly matches the email string they use for their SSO login.
  3. Save the changes. SCIM will automatically push this update to Segment, updating the user's workspace profile to match their SSO login identity.

 

Additional Information 

 

Have more questions? Submit a request
We can’t wait to see what you build.
Powered by Zendesk