Paylocity and Okta Integration: Username and SCIM Mapping Issues

0D5KZ00001SiDGI0A3Okta Classic EngineLifecycle ManagementAnswered2025-11-17T15:51:30.000Z2025-10-06T21:35:04.000Z2025-11-17T15:51:30.000Z

HeorhiF.32654 (Customer) asked a question.

October 6, 2025 at 9:35 PM

Paylocity and Okta Integration: Username and SCIM Mapping Issues

Hi everyone,

I’m working on integrating Paylocity with Okta via SCIM provisioning, and I’ve run into an issue when trying to switch Paylocity as the source of truth.

When Paylocity is set as the source, the provisioning fails because of username mismatches:

• Paylocity sends first.lastname as the userName.

• Okta uses the email address as the username for SSO.

• If I try to log into Paylocity using first.lastname, I get:

“Invalid single sign-on attempt. Please log in or contact your company administrator to link your account.”

• If I change the username format in Paylocity to email, the app disappears from Okta, and provisioning fails with “user not found” errors.

Is there a supported way to make Paylocity send user.email instead of first.lastname as the SCIM userName?

If not, what’s the best practice to transform the username in Okta (Expression Language, profile mapping, etc.) to keep Okta email-based logins working?

Has anyone successfully normalized usernames between Okta and Paylocity without breaking SSO?

Any insight, best practices, or confirmed working setups would be really appreciated!

Thanks in advance, George

Lifecycle Management

Top Rated Answers

HeorhiF.32654 (Customer)
6 months ago
I've tried that way as well.
In the meantime, I have also contacted Paylocity's tech support.
And..... I don't know why Okta doesn't have that updated instruction:

Setting up User Provisioning in Okta
1. In Okta, we recommend having 2 installations of the Paylocity application: one used for SSO and one for Provisioning. This will avoid making changes to your SSO-enabled app integration and any possible conflicts between the 2 features. The SSO-enabled app integration and the provisioning-enabled app integration are “linked” through the use of shared user folders.
a. The provisioning-enabled app integration will run in the background and will not be accessible to users. Users will only access the SSO-enabled app integration. The provisioning-enabled app integration only handles user lifecycle management actions.

I hope that information could save a lot of time for admins who are going to do the same integration.
Let me know if you need my assistance.
Thanks, everyone.

Expand Post
Selected as Best

All Answers

Mihai Negoita - Okta (Okta, Inc.)
7 months ago
Hi @HeorhiF.32654 (Customer) , Thank you for reaching out to the Okta Community!

I would start by checking the username format configuration on the Okta side.
First go to you Okta Admin Dashboard > Applications >Paylocity > Sign On tab > Username format - should be set to email.
Then on the Provisioning tab, go to Settings > "To Okta" > User Creation and Matching > "Imported user is an exact match to Okta user if" > "Email matches".
This should ensure that "email" is the attribute used for reference when importing users.

If you continue experiencing issue with the implementation, I recommend opening a case to work with a dedicated Okta Support resource to review the configuration and troubleshoot.

If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.

Hope my answer helps!

--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added
Expand Post
HeorhiF.32654 (Customer)
7 months ago
Hello @Mihai Negoita - Okta (Okta, Inc.) ,
Thank you for the quick reply.
Yes, it's email.
Also, I've tried many other options.
What is interesting is that if the provision is off the email, work to get access to Paylocity via SSO.
Since provisioning is on, I can't get access with the errors that I've provided.
In Paylocity, you can't change the user name to the email format.

Expand Post
BrandonB.06003 (Customer)
6 months ago
this should all be configurable via the profile mapping in okta of Paylocity > Okta and the okat username format. if that still doesnt work then it may be the way paylocity is saving data on its side. possibly not saving the right data in the right fields
Expand Post
HeorhiF.32654 (Customer)
6 months ago
I've tried that way as well.
In the meantime, I have also contacted Paylocity's tech support.
And..... I don't know why Okta doesn't have that updated instruction:

Setting up User Provisioning in Okta
1. In Okta, we recommend having 2 installations of the Paylocity application: one used for SSO and one for Provisioning. This will avoid making changes to your SSO-enabled app integration and any possible conflicts between the 2 features. The SSO-enabled app integration and the provisioning-enabled app integration are “linked” through the use of shared user folders.
a. The provisioning-enabled app integration will run in the background and will not be accessible to users. Users will only access the SSO-enabled app integration. The provisioning-enabled app integration only handles user lifecycle management actions.

I hope that information could save a lot of time for admins who are going to do the same integration.
Let me know if you need my assistance.
Thanks, everyone.

Expand Post
Selected as Best

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies