We are migrating to Okta from another SSO provider that formatted the subject claim as a GUID.
We use that GUID value in quite a few places. I would just update the field to be string but due to some inter company politics I need to keep the ability to go back (temporarily) to the old provider on short notice until all of the other services have also made the migration to Okta.
So before I go to the effort to maintain 2 UserIDs and duplicate the plumbing to support the Okta sub string I thought I would ask if there is a way to configure Okta to send GUIDs instead of the string I am getting by default now?
We talking about ID tokens or Access tokens? Your ID tokens should contain a sub claim matching the user’s ID in Okta, and an access token should contain a sub claim matching the users email address.
We don’t really offer a way to configure the sub claim, outside of the one returned in an Access Token issued by a custom Authorization Server, so is it possible for your system to check a different claim instead?
I guess the ID token as the sub contains values like: 00u21etfus9ASp53V5d7
and not the user’s email.
Ah so I could add a custom claim that stored a GUID but… that will require the folks provisioning user accounts to generate and paste a GUID. I will think on that some. I’m not sure if I trust them to always get it right. Better the code carry the burden.