Using Employee Number or any Other AD Fields as a Username in OKTA

By | February 9, 2017

OKTA is such a powerful solution to provide identity management and SSO to any of your applications and we started to use it recently and it works really great if you use the usual Employee ID, SAM account name, SAM account name + domain, User principal name, Email and Email Prefix AD attributes as your Application Username but once you use Custom Attributes using Custom Expressions then you might encounter some issues like I did.

We have applications that use the Employee Number (Not ID) attribute in AD so I tried to use custom format ${user.employeeNumber} and always get a Custom Expression error telling me that The expression is invalid: Property ‘user.employeeNumber’ not found. Well that is not good as several of our apps use this as their username. So I called their support and looks like I found a bug in this solution but dont worry we also found a work around on how to deal with this types of scenario.

So what is the work around?
Basically we will just need to override it on the mapping section of the application, let me show you.

First just choose any Application username format on your application apart from Custom. Make sure you save it.

Now go to the menu on to then to Directory -> Profile Editor

Find your application then choose mappings

Click “Okta to {Your Application}”

Then click “Override with mapping”

now choose user.employeeNumber

then Preview it to double-check

Save your work! And its simple as that. Now you can go crazy on this one specially if you use a lot of the built-in OKTA Expression Language. Lets say this example

Where your username is a combination of employeeNumber, organization and other constant strings

See the result! You can do a lot with this thing.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.