<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Username Set to an AD Attribute Not Showing Correct Value in Okta
Mar 20, 2026
Administration
Okta Classic Engine
Directories
Okta Identity Engine
Overview

When samAccountName is configured as the username format for an application, the correct username may not be populated for users assigned to multiple Active Directory (AD) instances. This occurs because the findDirectoryUser() function cannot be used when multiple directory instances are assigned to a user. Update the mapping to a specific attribute or specify a single AD instance in the username mapping to ensure the correct value is retrieved.

Applies To
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
  • Provisioning enabled application
  • Multiple Active Directory instances
  • Active Directory attributes configured as a username
Cause

The issue is caused by the use of the hasDirectoryUser().findDirectoryUser().samAccountName function within the username mapping. This function fails to return a value when a user is associated with more than one AD instance, as Okta cannot determine which instance should serve as the authoritative source for the attribute.

Solution

How is the username mapping resolved for users with multiple Active Directory instances?

Implement one of the following methods to ensure Okta retrieves the correct samAccountName for the application username:

  1. Navigate to the application assignment and convert the group application assignment to individual, then manually enter the desired username.

  2. Modify the user's directory assignments so the user is active in only one AD instance.

  3. Establish an explicit mapping by creating a custom attribute:

    1. Navigate to Directory > Profile Editor.

    2. Add a new attribute to the Okta User profile.

    3. Map the samAccountName from the preferred AD instance to this new attribute.

    4. Configure the application username to use this specific Okta attribute instead of the generic AD mapping.

  4. Implement a custom expression to target a specific AD instance directly. For example, to pull the value from a specific domain, use the instance ID in the expression: active_directory_<instance_id>.samAccountName

Example: To have the samAccountName value populated from the corp2.conclusion.com domain see below, use this expression for the application username: active_directory_80ea4e5.samAccountName.

Profile

Related References

Recommended content

Still looking for help?
Loading
Username Set to an AD Attribute Not Showing Correct Value in Okta