OKTA is such a powerful solution to provide identity management and SSO to any of your applications and we started to use it recently and it works really great if you use the usual Employee ID, SAM account name, SAM account name + domain, User principal name, Email and Email Prefix AD attributes as your Application Username but once you use Custom Attributes using Custom Expressions then you might encounter some issues like I did.
We have applications that use the Employee Number (Not ID) attribute in AD so I tried to use custom format ${user.employeeNumber} and always get a Custom Expression error telling me that “The expression is invalid: Property ‘user.employeeNumber’ not found“. Well that is not good as several of our apps use this as their username. So I called their support and looks like I found a bug in this solution but dont worry we also found a work around on how to deal with this types of scenario.
So what is the work around?
Basically we will just need to override it on the mapping section of the application, let me show you.
First just choose any Application username format on your application apart from Custom. Make sure you save it.
Now go to the menu on to then to Directory -> Profile Editor
Find your application then choose mappings
Click “Okta to {Your Application}”
Then click “Override with mapping”
now choose user.employeeNumber
then Preview it to double-check
Save your work! And its simple as that. Now you can go crazy on this one specially if you use a lot of the built-in OKTA Expression Language. Lets say this example
Where your username is a combination of employeeNumber, organization and other constant strings
See the result! You can do a lot with this thing.