Enforce uniqueness on custom attributes

You can enforce attribute uniqueness across your organization for custom attributes in the Okta user profile, such as employee identification number. You can declare a maximum of 5 unique attributes for each user type. The limit of 5 unique attributes is applied on a per-type basis. You do not need to select the same set of attributes for each user type. For example, the 5 unique attributes you declare unique for user profile A do not need to match what you declared for user profiles B, C, or D.

Unique attributes share a single namespace across all user types per orgThe Okta container that represents a real-world organization.. If user types A and B both contain the attribute ice cream and you identify it as unique in both profiles, then if user type A has the value chocolate, no other users of type A or B (or any other user type with ice cream declared unique) can have that value. To allow duplicates between unique attributes in different types, modify the attribute names to be slightly different. For example, ice creamA and ice creamB are tracked separately.

Attributes that are not unique are not tracked for uniqueness. If the attribute candy is unique in type E and not unique in type F, and a user of type E has the value caramel for the attribute, then no other users of type E can have the value caramel for the attribute, but any number of users of type F can still have the value caramel. Although candy is unique in E, it is not unique in F, so the value for the attribute in users of type F does not matter.

You can only enforce uniqueness in custom attributes in the Okta user profile. If you are importing users from Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. or LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. and attempt to import one or more users who would violate the uniqueness requirement, import will fail on those users.

If an end user edits their profile and attempts to enter a duplicate value for a custom attribute that has the uniqueness restriction applied to it, they will see a message that the value already exists. They will be unable to save their change until they enter a unique value.

When you mark an existing custom attribute as requiring a unique value, Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API. will run a validation check to ensure that no duplicate entries already exist.

  • This check may take some time, depending on how many user records you have.
  • A status message on the Profile Editor page indicates:
    • how many records have been checked
    • how many duplicates have been found and,
    • the estimated time remaining.
  • If duplicate records are found meaning the attribute cannot currently have uniqueness applied to it, the Restriction check box will be cleared automatically. You will have to resolve the duplicate values before applying uniqueness to the attribute.

To enforce uniqueness for a custom attribute:

  1. In the Profile Editor, click the Okta Profile to edit the Okta user profile attributes.
  2. Scroll to the custom attribute you want to mark as unique.
  3. Click Edit.
  4. For Restriction , select that the value must be unique for each user.

    While Okta verifies that the existing data is unique across all users, the check box is unavailable. To remove the uniqueness requirement, deselect the option.

  5. Click Save Attribute.

The status message on the Profile Editor page displays the validation progress and status. This message is displayed to all admins viewing the Profile Editor page so that they are aware a validation check is running.