Add identifiers to a user profile policy

Early Access release. See Enable self-service features.

Adding identifiers to an app's user profile policy lets users sign in with something other than their username. You can select two custom attributes from the Okta user profile to serve as identifiers, or you can add new ones specifically for this purpose.

An identifier must be a read-write or read-only attribute, have a string data type, and contain no sensitive information. It must also be unique. Don't use phone numbers or secondary email addresses for identifiers.

Identifier priority

Setting the priority of identifiers is an important configuration step. When a user enters an identifier, Okta validates it according to the priority that you set. When it finds a match, the evaluation process stops. This prevents users from authenticating with the same value.

For example, one identifier is middle_name, and for User A, that's Barney. Another identifier is father_name, and for User B, that's Barney. If you set father_name as the highest priority identifier, User B is the only one who can authenticate with Barney.

Before you begin

  • You must be a super admin to add identifiers to a policy.

  • If the custom attributes you want to use aren't in the user profile, add them. Remember that custom attributes shouldn't be hidden or contain sensitive information.

  • For each custom attribute, set the Data type to string and the Restriction to Value must be unique for each user. If this restriction isn't in your dropdown list, see Unable to make a custom attribute unique.

Start this task

  1. In the Admin Console, go to SecurityUser Profile Policies.
  2. Find the policy that you want to add identifiers to, and then click its Edit icon.
  3. On the Identification tab, click Add identifier.
  4. Search for and select an attribute in the dropdown menu.
  5. Click Save.
  6. Drag and drop the attributes to change their priority.
  7. Optional. Repeat steps 3 through 6 to add another identifier.
  8. Optional. Click the trash icon to remove an identifier from the policy.

After adding identifiers, change the labels and hints on your sign-page so that users know which attribute to enter. See Customize your sign-in page. You should also add the identifiers to your profile enrollment form, if you don't already have the attributes stored in the Universal Directory. This step is required if you want to allow identifiers in self-service registration flows.

Related topics

Multiple identifiers

Add apps to a user profile policy