Salesforce application user provisioning fails with the following error message whenever the application username is set to a non-email address format:
Push new user to external application
FAILURE: Username must be in the form of an email address (for example, john@acme.com): Username
Below is an example of a problematic application username format where Okta Expression Language (OEL expression) is being used to generate the non-email format app username under the Sign On tab:
- Salesforce
- Provisioning
- Okta Integration Network
- Application username format
This is working by product design, as Salesforce's product requirement strictly enforces that Salesforce usernames must be in email address format only.
-
This is being documented in this Salesforce article.
-
If additional clarification about the Salesforce username format requirement is needed, please contact the Salesforce Support team directly for further assistance.
To avoid this provisioning error:
- Please navigate to Okta Admin Console > Applications > Applications > select the Salesforce.com application > Sign on tab > click Edit button > Credentials Details > App Username Format > select Custom and then update the OEL expression as needed to ensure it will always generate the Salesforce app username in an email address format.
-
- For example:
- Verify if setting the Update application username on Create and Update is needed to allow updating all pre-existing app usernames to the correct email format app username.
- Click on the Save button once the app username custom OEL expression preview testing has been completed.
- Reload the page to ensure that the Update Now button is displayed.
- Click on the Update Now button to trigger a backend job to check and update all pre-existing app assignments for the Salesforce.com application. This will update the application username based on the newly configured one and will allow a new user provisioning push attempt, which should retry all failed app assignment tasks found in the Okta Admin Console > Tasks page for the Salesforce app instance.
NOTE:
- The Create and Update option is only available if Update User Attributes is enabled under Provisioning > To App settings.
- For specific business use-cases where it is not possible to have Update User Attributes enabled, please remove the problematic app assignment with the incorrect app username and recreate a new app assignment that contains the new app username in email address format value. See Okta Does Not Support Partial Profile Push During Subsequent Profile Update Push from Okta to External Application for additional information.
- If this is a brand new Salesforce.com app setup, Okta strongly recommends that all customers set up a lower environment sandbox app testing to confirm app configuration settings prior to deploying the new app in the Okta Production org.
