vikneshj.66275 (Customer) asked a question.
Hello,
We have setup SAML 2.0 as an Identity provider to allow users to use their existing credentials to login into our application thru okta. We currently used the user's username (email address) to match against the incoming SAML assertion. The problem is the user's email address at the IdP side can change. This leads to creation of new user in Okta. Which we do not prefer since we create new user via our web app and we keep reference to the okta user external id.
We tried -
- To match against a custom field but then how do we enforce the uniqueness?
- Turning off JIT then it would disable the profile attribute sync.
- Other option to avoid "create new user" in JIT is to redirect the user to the okta sign in page when match is not found. Which is not preferred as we want the user to land on our custom login page. Is there a way to do that?
Any advice on how to tackle this scenario?
What exactly is changing in user email id? if only Domain is changing then in Okta IDP settings -> IdP Username use Okta expression which can match even email id changes.
Or you can refer any other constant SAML attribute which can be used as Okta Username e.g [ idpuser.firstNmae + idpuser.lastName + "@abc.com" ]
In order to maintain the uniqueness - i would suggest "uniquieID@idpID.idp" username format in hub
- find the uniquieID that never changes on the IDP,spoke end
- create custom un format under idp config settings : uniquieID@idpID.idp
==> idpuser.subjectNameId + "@" + "oghvfgtyghytyiv.idp"
Thanks for your reply. I tried setting the username from the incoming SAML response and it worked fine. But when the user email is changed, the primary email is updated along with the username back to the email. How do I stop doing that and always set the username from the SAML response?
Reach out to OKTA SUPPORT by open-up a case,
There was a feature flag turned on that caused username to match email
let them turn-off this flag..