I found that not all attributes were compatible with the getManagerUser function, including userPrincipalName. I solved for my issue by appending the domain suffix at the end of the expression. If you have one domain, like we have where I work, then it is easy to insert a static value for that. If you have a multi-domain forest then you may need to get creative. Create an attribute in Okta, say "myDomain" and build that so it takes the qualified domain name for a user and makes it a new attribute. For example, if I am <jnsmith@example.com>, the "myDomain" attribute would just display <example.com> Then use that new attribute to build your expression.

getManagerUser("active_directory").sAMAccountName + "@" + user.myDomain

Use your creative license to build whatever you'd like, the getManagerUser function only works for some attributes but the key is that it exists and you can query a user's manager and bring in enough of that identity information to customize what you need.

I found that not all attributes were compatible with the getManagerUser function, including userPrincipalName. I solved for my issue by appending the domain suffix at the end of the expression. If you have one domain, like we have where I work, then it is easy to insert a static value for that. If you have a multi-domain forest then you may need to get creative. Create an attribute in Okta, say "myDomain" and build that so it takes the qualified domain name for a user and makes it a new attribute. For example, if I am <jnsmith@example.com>, the "myDomain" attribute would just display <example.com> Then use that new attribute to build your expression.

getManagerUser("active_directory").sAMAccountName + "@" + user.myDomain

Use your creative license to build whatever you'd like, the getManagerUser function only works for some attributes but the key is that it exists and you can query a user's manager and bring in enough of that identity information to customize what you need.

Hi Faraz,

First create the new attribute name that will populate the mapping in users' Okta profiles.

Go to Directory\Profile Editor

Find the Okta User (default) profile and click Profile to edit the Profile

Click Add Attribute. For me, I just used display name "managerUPN" and attribute name "managerUPN" and kept the rest default, then save. If you are going to use email or display name for manager then update the name however you feel works best.

Now that you have the new Okta attribute, you need to map a value to it from AD.

Go to Directory\Profile Editor

Click on your profile master (assuming this is Active Directory) and click Mappings

Make sure you are viewing the mappings for you directory TO Okta User

On the right-side, find the new Okta attribute you just created (for me that was "managerUPN")

On the corresponding left-side, the field for the mapping should be blank. This is where you enter your expression. For me it was-

getManagerUser("active_directory").sAMAccountName + "@mydomain.com"

You can enter a user's name at the bottom to preview the mapping and make sure it's working to your desire, then click Save Mappings.

It will take a little while (depending on number of users you have) to map that attribute to everyone's profile.

If you've waited a while (few hours) and still nothing, you can try this to force sync-

Go to Directory\Directory Integrations

Click your profile master (in my case this was Active Driectory)

Click the Provisioning tab

Scroll down to the <your domain> Attribute Mappings section

Click Force Sync.

This was recommended to me by Okta Support but I'm not sure it was totally necessary for me. I think for me it was just a matter of waiting a few hours for the mappings to complete.

Hopefully this helps!