Okta username formats for LDAP

When you import users from LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services., Okta uses these settings to generate the Okta username that your users will use to log in to Okta.

Note: Okta requires that valid user names be in an email format. Configuring these options correctly ensures that your user names satisfy this requirement.

Email address 

Select this option if you want your users' LDAP email address to be their Okta username. Note: Email addresses must be unique in LDAP.

For example:

  1. If email addresses in LDAP are user.1234@example.com . . . ,
  2. and you select the Email address Okta username format . . . ,
  3. enter user.1234@example.com in the Username field.

User Id (UID) 

Select this option only if the UID value in the LDAP directory is already formatted as an email address.

For example:

  1.  If the UID in LDAP is already formatted as an email address like user.1234@example.com . . . ,
  2. and you select the User Id (UID) Okta username format . . . ,
  3. enter user.1234@example.com in the Username field.

User Id (UID) + Configurable Suffix

Select this option only if the UID value in LDAP lacks an email suffix and you want end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. to log in using a configurable email suffix.

For example:

  1. If the UID in LDAP is user.1234 . . . ,
  2. and you select the User Id (UID) + Configurable Suffix Okta username format . . . ,
  3. enter yourconfigurablesuffix.com in the Configurable Suffix field . . .
  4. enter user.1234@yourconfigurablesuffix.com in the Username field.

User Id (UID) @ Domain

Select this option only if the UID value in LDAP lacks an email suffix and you want Okta user names to include your company's domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). name as the email suffix.

For example:

  1. If the UID in LDAP is user.1234 . . . ,
  2. and your company's domain name is yourdomainname . . . ,
  3. and you select the User Id (UID) @ Domain Okta username format . . . ,
  4. enter user.1234@yourdomainname.com in the Username field.

Custom

If you wish to use a custom username to sign in to Okta, use the Custom option and the Okta Expression language to map the Okta username format. You can preview your changes to validate your mapping expression. Expressions allow you to concatenate attributes, manipulate strings, convert data types, and more. Okta supports a subset of the Spring Expression Language (SpEL) functions. Find a comprehensive description of the supported functions under Okta Expression Language.

Top