<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Authenticating Active Directory Users to Okta Using a Username Prefix

Okta Classic Engine
Directories
Okta Identity Engine

Overview

Okta allows users to authenticate using a username prefix when Active Directory (AD) Delegated Authentication is active. This behavior occurs under specific configuration conditions and requires adjusting the sign-in match criteria to enforce full username logins.

Applies To

  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Directories
  • Active Directory (AD)
  • Delegated Authentication
  • Short Name Login

Cause

Okta allows a user to log in with only a username prefix when the configuration meets specific conditions. The following conditions enable short name logins:

  • The user attempting to log into Okta is sourced from Active Directory, and Delegated Authentication is active.
  • The username prefix remains unique within the single domain authenticating the user.
    • Multiple users in the Okta tenant can have similar usernames that match short names (for example, <userA@abc.com> and <userA@xyz.com>).
  • Global Security settings allow short name login.

Solution

How is the username prefix login prevented?

Require users to use the full Okta username during authentication by configuring the sign-in match criteria to match the entire username.

  1. Navigate to Security > General in the Okta Admin Console.
  2. Under Organization Security, set Username match criteria on sign in to Match entire username.

 

Related References

Loading
Okta Support - Authenticating Active Directory Users to Okta Using a Username Prefix