Authenticating Active Directory Users to Okta Using a Username Prefix
Last Updated:
Overview
Okta allows users to authenticate using a username prefix when Active Directory (AD) Delegated Authentication is active. This behavior occurs under specific configuration conditions and requires adjusting the sign-in match criteria to enforce full username logins.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Directories
- Active Directory (AD)
- Delegated Authentication
- Short Name Login
Cause
Okta allows a user to log in with only a username prefix when the configuration meets specific conditions. The following conditions enable short name logins:
- The user attempting to log into Okta is sourced from Active Directory, and Delegated Authentication is active.
- The username prefix remains unique within the single domain authenticating the user.
- Multiple users in the Okta tenant can have similar usernames that match short names (for example,
<userA@abc.com>and<userA@xyz.com>).
- Multiple users in the Okta tenant can have similar usernames that match short names (for example,
- Global Security settings allow short name login.
Solution
How is the username prefix login prevented?
Require users to use the full Okta username during authentication by configuring the sign-in match criteria to match the entire username.
- Navigate to Security > General in the Okta Admin Console.
- Under Organization Security, set Username match criteria on sign in to Match entire username.
