How do I update our SSO provider to a different Okta domain with Self-Hosted

Last updated: September 8, 2025

Context

When attempting to update an existing SSO provider from one Okta domain to another, users may encounter an error "could not evaluate user: could not ensure managed user: user already exists" if the same email addresses exist in both Okta instances. This occurs because Spacelift has a protection mechanism that requires Identity Provider fields to remain immutable.

Answer

Before making any changes to your SSO configuration, ensure you have set up backup credentials to prevent potential lockouts. See our guide on setting up backup credentials.

To successfully update your SSO provider to a different Okta domain:

  1. First, unlink your current SSO provider through the console

  2. Update your configuration file with the new Okta domain details

  3. Run the ./scripts/update-sso-settings.sh script to configure the new provider

The script does not automatically remove the previous SSO provider configuration, which is why you need to manually unlink it first. This is particularly important when users have the same email addresses in both Okta instances.

For more information about SSO configuration, refer to our SSO documentation.