This article will explain the expected behavior of using a short name for login, described in further detail in Can Users Log in With Only the Username Part of the Email Without Including the Domain while using Active Directory Delegated Authentication with Just-In-Time Provisioning (JIT). 

• Directories
• Active Directory (AD)
• Delegated Authentication
• Just-in-Time (JIT) Authentication
• Short name

Under the following conditions, Okta will allow a user to log in with only their username prefix. 

1. The user attempting to log into Okta is sourced from Active Directory, and Delegated Authentication is enabled.
2. JIT is enabled.
   • See Configuring Real Time Sync - Okta Active Directory Integration for more details.
3. Multiple users in the Okta tenant can have similar usernames that match short names. For example - userA@abc.com and userA@xyz.com.
4. The username prefix must be unique within the single domain authenticating the user.
5. Global Security settings allow short name login.

To prevent users from logging in with their username prefix:

• Set Username match criteria on sign-in to Match entire username.
  • This will require users to use their full Okta Username to log into Okta.
  • For more information, please see Can Users Log in With Only the Username Part of the Email Without Including the Domain.

Related References

• Can Users Log in With Only the Username Part of the Email Without Including the Domain
• Configuring Real Time Sync - Okta Active Directory Integration