This knowledge base article provides solutions for handling SAML login issues where a small group of users have different email domains in Okta and Salesforce. By using Okta Expression Language (OEL) and Okta Groups, it's possible to set up a tailored application username format for these users without impacting others.
- Okta Administrators managing app integrations where users experiencing SAML login issues due to email domain discrepancies
A subset of users in the environment have their Okta email domain set to "domain1" but on the Service Provider (SP) application, their email domain is "domain2". This discrepancy results in failed SAML logins for these users. Other users with the same email domain in both Okta and Salesforce are unaffected.
To resolve this, Okta administrators can follow the steps below:
-
Create an Okta group specifically for the users facing this issue. For instance, this group could be named Salesforce domain1.com Users. Add the affected users as members of this group.
-
For the Salesforce application in Okta, change the Application username format to CUSTOM.
-
Input a conditional OEL expression in the format of [Condition] ? [Value if TRUE] : [Value if FALSE]. This will check for membership in the specific Okta group and adjust the email domain accordingly.
For example:
isMemberOfGroupName("Salesforce domain1.com Users") ? (String.substringBefore(user.email, "@") + "@domain1.com") : user.email
This expression checks if the user is a member of the "Salesforce domain1.com Users" group. If true, it changes the user's email domain to "@domain1.com". For all other users, it leaves their email unchanged.
By implementing this solution, only members of the specified group will have their application username set to the different domain, thus resolving their SAML login issues.
