Our SaaS app integration keys off of the Okta username/nameid and creates their account in our app based off of that. e.g. Okta passes the nameid = firstname.lastname@example.org and we create an account based off of that with a field in our db.
We also assert firstname, lastname, and email.
The user can be created with SAML w/ JIT or SCIM, depending on their config.
However, I keep running into an issue where a customer says they want to change their email address, but when they update the Okta profile and then try and sign in — it creates a duplicate account — as our app has never seen this newly added name, and therefore sees that as a new user.
One of my customers told me that he doesn’t have to worry about this with other apps.
We get variations of this request:
- if they only change the actual email address in the Okta profile, that is fine and gets pushed down to our app and we update the email address.
- Sometimes they change both the Okta username and the email address, and then it creates a new account.
So, I guess the question is - Is there ever a reason why an existing user record in okta should have its username / userId changed, and if so, how are we supposed to handle that on the SP side if we are using that as the unique identifier?
Also, how do most Okta admins perform a change? Do you go into the users profile record and update both the username and email?
Just looking for some best practices on this.
Any tips for best practices?