Do the primary email address of user need to be unique?

Hi,

I’d know about the policy for the primary email adresse of user (defaut profile).

In fact, i’m a little confused for this cause, on one side, primary email suppose to be unique by the doc (Users | Okta Developer). On the other side, i can create mutli-accounts with the same adresse email in my organisation. But i can not find any settings in the console.

So my questions is :

  • Do the primary email address of user need to be unique ?
  • Where can we defined this policy (or can we customize => this unique or not)

Any reply would be appreciated.

Br.

@Chengbo We suggest uniqueness for primary email addresses. Okta automatically uses the email address as the end user’s username.

Hi @Lijia, thanks for your return.

Okta automatically uses the email address as the end user’s username. => Do you mean in the user profile mapping (app profile => okta profile), appuser.username map to email by defaut. But it is possible to change this mapping (with which i made my test to create multi accounts with the same email) ?

Thanks by advance.

@Chengbo You may have conflicts when test if not setup primary email as unique. You may set up multiple emails for a user’s secondary email.

@Lijia, thanks for your return.

Can you specify what kind of conflits ?

In fact, we are preparing to migrate our authentification to okta. So we need examiner anything
as detailed as possible. So could you confirm :

  • Okta enforce uniqueness for all primary email addresses, but it’s possible to disable this (by changing le profil mapping) technically ?
  • The notification could be sent to the second email (Error while creating multiple users with same email - Unique username - #4 by erik), could you specify where can i make this in the console ? cause i do find by now (l’ve just an admin accout, not a super admin in my org).

Thaks by advance.

Br,
Chengbo

Hey Chengbo, I think the Okta username which uses the email address by default must be unique, but the primary email address does not need to be unique by default. I’ve got multiple accounts with different usernames and the same primary email address (as you found) - take a look at my screenshot.
Screenshot 2021-06-16 181336

Usernames must be unique in Okta and most identity platforms, but not emails.
I don’t know why its marked as UNIQUE=TRUE in the referenced table. That page links to the SCIM standard which has a multi-valued field ‘emails’ which are only a SHOULD (not MUST).

I’d suggest its possibly a documentation error - unless user creation via the API has different constraints to the Okta Admin UI. I don’t have postman handy to check.

@Chengbo The possible conflicts is when you set up reset password using forgot password option, reset password link is sent to the same email id for multi accounts.

Hi @abole and @Lijia,

Thanks for your return, yes, we may also have conflits when we are going to activate the MFA. So all the notification sent by okta are the primary email ? (I mean this is not configurable by admin, to change to the seconde email for exemple)

Br.

Hey did you see this? Okta Help Center (Lightning).

Settings > Customization > Opetion user account fields
Screenshot 2021-06-17 230414

1 Like

Hay @abole,

Juste found it, thanks a lot. Yes, when it is activated, the seconde email will receive the copy of the notifications.

@Chengbo For testing purpose, you may create multiple Okta users with one email. However, the problem is multiple people will share access to a single email account, such as a distribution list. That is potentially a security thread. We recommend that only individual email addresses be used for Okta users for this reason.

1 Like