You use expressions to concatenate attributes, manipulate strings, convert data types, and more. Expressions within attribute mappings let you modify attributes before they are stored in Okta or sent to apps. Expressions also help maintain data integrity and formats across apps. For example, you might want to use an email prefix as a username, bulk replace an email suffix, or populate attributes based on a combination of existing attributes (
displayName = lastName, firstName).
Okta supports a subset of the Spring Expression Language (SpEL) functions. See Okta Expression Language.
While some functions (namely
string) work in other areas of the product (for example, SAML 2.0 Template attributes and custom username formats), not all do.
You can use the Okta Expression Language to create custom Okta application user names. These are some examples of how this can be done:
- Construct an Okta username by concatenating multiple imported attributes.
- Create differently formatted user names using conditionals. For example
attribute1= A, then username should end in acme.com. Otherwise, username should end in acme-temp.com.
- Example: email@example.com, firstname.lastname@example.org
- This is useful for distinguishing between different types of users (such as employees vs. contractors).
- Construct app user names from attributes in various sources.
- Enforce a max length by truncating.
The username override feature overrides previously selected Okta or app user name formats. When you implement a user name override, the previously selected user name formats no longer apply.
You can also use user name override functionality with Selective Attribute Push to continuously update app user names as user profile information changes. For example, when the user name changes in an app that uses an email address for the user name format, Okta can automatically update the app user name to the new email address.
App user name overrides
To change the app user name format, you select an option in the Application username format list on the app Sign On page. The user name mapping displayed on the app Sign On page is the source of truth for the Okta to App flow. Changing when the app user name is updated is also completed on the app Sign On page.
For Active Directory (AD), LDAP and SAML Identify Provider apps, you use the Profile Editor to override user name mappings.