Okta users can authenticate with Delegated Authentication using an Active Directory (AD) samAccountName, email address, or User Principal Name (UPN) when the email prefix and samAccountName match in AD. To enable this, administrators must configure a custom Okta username format in the AD integration settings.

NOTE: Login using samAccountName works only if the value is unique in Okta. If multiple users share the same samAccountName, the value cannot be used to authenticate to Okta.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Directories
• Active Directory (AD)
• Okta Username

How can users authenticate to Okta using a matching email or samAccountName?

Follow these steps to allow users to authenticate to Okta using an email or samAccountName when the values match in Active Directory(AD):

1. Go to Directory > Directory Integrations in the Okta Admin Console and select the Active Directory integration.
2. Select Provisioning > To Okta and select Edit.

3. Change the Okta username format to Custom and enter the following expression:

   appuser.samAccountName+"@<domain.com>"

NOTE: Replace <domain.com> with the actual email domain.

4. If the UPN prefix does not match the email prefix or samAccountName in Active Directory (AD), enable Just-In-Time (JIT) provisioning to allow users to log in using the UPN or UPN prefix.