This article addresses an expected behavior in which Okta writes a value to the Active Directory (AD) cn attribute even when its attribute mapping is configured as Do not map. This occurs because the cn attribute is required by Active Directory, and Okta's provisioning process must populate it with a value to ensure successful user creation or updates.
- Active Directory (AD)
- User Provisioning
- Attribute Mappings
- Profile Push
The cn (common name) attribute is required for objects in Active Directory. Okta must write a value to this attribute to ensure successful user provisioning and updates.
If a custom mapping is defined for the cn attribute, Okta will apply that mapping. However, if the mapping is either not defined or explicitly set to Do not map, Okta will use its default mapping expression: user.firstName + " " + user.lastName. This behavior is by design and is necessary to satisfy Active Directory's requirement for a value in the cn field.
This behavior is expected and does not indicate an issue. Okta's provisioning process is designed to handle this Active Directory requirement. The cn attribute will always be populated with a value.
To control the value written to the cn attribute, an explicit mapping can be created within the Okta Profile Editor. However, if no custom mapping is in place, Okta will continue to use the default First Name + " " + Last Name expression.
