Hi Will, and thanks. My requirements are for SAML so I chose Inbound SAML using Passport.js path...would that not work? The problem I seem to be having is when I sign on with OKTA and select the link to my site I am presented with a sign on page from Gluu (/oxauth/auth/passport/passport-post-login) and I see my selected attribute (email) as the only credential...it is prepopulated with the correct id but clicking it gives me an incorrect username and password...the oxauth.log says: 2018-08-28 12:42:15,635 INFO [qtp1744347043-14] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:164) - Authentication failed for 'null' In reading the documentation I gather that any new id coming in would be added to ldap but that does not seem to be happening. Any ideas?