JasonW.77028 (Customer) asked a question.
How to use 'cn' attribute as username format in Okta AD LDS integration
Hi there,
We are currently trying to do JIT provisioning with Okta and our AD LDS solution. Right now, our usernames are in the AD LDS 'cn' attribute. They could be in any format (email, alphanumeric, etc). I am trying to set it up so that Okta will find the user based on the 'cn' field when it's entered into the login widget and import them in.
The agent is up and running and successfully validated. It's just a matter of getting the configuration right.
you may need to apply the mappings "from AD to okta" by go to,
directory - profile editor - choose directories , find specific AD - go to mappings
appuser.cn ==> login
Ok, so I'm not sure if I follow. I am looking at "Directory Integrations">Provisioning (tab)>"To Okta" (settings navigation on left). If I go to Okta Attribute Mappings section below, username/login Okta attribute has "value" set as "configured above". If I scroll back up there is an spot under "General" for "Okta username format"... I'm assuming I want to use "custom" from the drop down but that doesn't appear to work.
When I attempt a login, i can see the query in the logs, but it's still looking under the UID and not the cn... Do i need to modify the integration settings instead?
Log from the failure:
FAILURE: User not found while executing query: (&(objectclass=user)(uid=testuserId))
directory - profile editor - choose directories , find your specific AD - go to mappings
apply below mapping appuser.cn <<AD >> ==> login <<okta>>
and there will be preview option to verify the user profile - you can verify and apply mappings..
I think you are referencing users that have already been imported. I am trying to do this with JIT. The user doesn't exist in Okta yet, I want to pull them in "just in time" on login. Again, i think the issue is that the login value is searching against 'uid' where i'd like it to be 'cn'.
this is the error i get: FAILURE: User not found while executing query: (&(objectclass=user)(uid=testUserId))
I assume that it should look like this, to work: (&(objectclass=user)(cn=testUserId))
Hi Jason,
You need to edit the mappings in directory Configurations. Add the unique identifier attribute as CN instead of UID. that should correct the search query automatically.
Any thought about where this should happen?
If I go to "Directory Integrations">My LDAP Integration>Provisioning tab>Integration settings. Are you talking about the first entry point? Configuration.Objects.UniqueIdentifierAttribute? It defaults to 'distinguishedname', are you suggesting to change that to 'cn'?
In the mappings for your directory integration, you'll see that it says the Okta username is determined by the domain setting, although there's an option to override that with a mapping. And you could do that, but it would be more straightforward to change it in the domain settings and leave the mappings alone (my opinion, anyway).
To change the domain setting... In your AD directory integration, on the Provisioning tab, select To Okta in the left column. Okta username format is where you configure which AD attribute becomes your Okta username. We use the UserPrincipalName attribute because while users can enter their full userprincipalname, they can also sign in with just the username portion of their userprincipalname as long as their username is unique within your Okta org.
I'm specifically talking about "LDAP", not "Active Directory", sorry if that wasn't clear. I tried messing around with this and changing it to 'Custom' and appuser.cn for the value, but this only works against users that were already pulled in.
I'm trying to affect JIT queries to use 'cn' instead of 'uid'.