Add identifiers to a user profile policy
Early Access release. See Enable self-service features.
Adding identifiers to an app's user profile policy lets users sign in with something other than their username. You can select two custom attributes from the Okta user profile to serve as identifiers, or you can add new ones specifically for this purpose.
An identifier must be a read-write or read-only attribute, have a string data type, and contain no sensitive information. It must also be unique. You shouldn't use phone numbers or secondary email addresses for identifiers.
Identifier priority
Setting the priority of identifiers is an important configuration step. When a user enters an identifier, Okta validates it according to the priority that you set. When it finds a match, the evaluation process stops. This prevents users from authenticating with the same value.
For example, one identifier is middle_name, and for User A, that's Barney. Another identifier is father_name, and for User B, that's Barney. If you set father_name as the highest priority identifier, User B is the only one who can authenticate with Barney.
Before you begin
-
You must be a super admin to add identifiers to a policy.
-
Be sure that the attributes you want to use for identifiers are in the default Okta user profile. See Understand attribute rules for the profile enrollment form.
Start this task
- In the Admin Console, go to .
- Find the policy that you want to add identifiers to, and then click its Edit icon.
- On the Identification tab, click Add identifier.
- Search for and select an attribute in the dropdown menu.
- Click Save.
- Drag and drop the attributes to change their priority.
- Optional. Repeat steps 3 through 6 to add another identifier.
- Optional. Click the trash icon to remove an identifier from the policy.
After adding identifiers, change the labels and hints on your sign-page so that users know which attribute to enter. See Customize your sign-in page. You should also add the identifiers to your profile enrollment form, if you don't already have the attributes stored in the Universal Directory. This step is required if you want to allow identifiers in self-service registration flows.