After adding new rules for login attributes (like Character limits), any API calls that update user information can fail if a user's existing login attribute does not meet the new requirements. This occurs even if the API request does not explicitly include the login attribute, because Okta's API checks the current login attribute value against the new rules.

• Lifecycle Management (LCM)
• Create a custom character restriction for the Okta username

The root cause of this behavior lies in Okta's fundamental design philosophy regarding user profile data integrity and policy adherence. When a custom character restriction is applied to the profile.login attribute, Okta's User API performs a comprehensive validation check on the entire user profile during any API POST call to update a user. This means that even if the API request payload only contains changes for attributes like firstName or email, Okta will still validate the existing profile.login value against all currently active profile and security policies, including the new character restrictions.

• Adjust the Login Restriction:

  • Re-evaluate and potentially modify the newly imposed profile.login character restrictions to be less stringent, thereby accommodating existing non-compliant login formats. This allows API updates to proceed without requiring changes to user's current login names.

• Change the User's Login:

  • Update the non-compliant profile.login values for existing users so they conform to the new character restrictions. This must be done before attempting to update any other profile attributes for those users via the API. This may involve a planned data migration effort or communication with affected users.