SAML assertion UserID

For some reason Okta SAML assertion returns user email as NameID even when “Persistent” type is selected.
User email is not really an immutable property and can be renamed for example. So we need a more “persistent” user ID instead like the Okta user ID (which is BTW correctly returned by OpenID connector).

Any ideas how to get user ID through SAML auth?

On the Sign On tab you can change the mapping (including custom where you can use expression language):

image

Govner,

Sorry, can you please clarify whether you mean “Application username” dropdown?
Setting it to “okta username” didn’t help.
I still don’t see userID similar to this one (00u25f75zPX9RN32c4x6) anywhere …

Hi @Pett

Please navigate in your Okta administrative dashboard to Users/Directory >> Profile Editor >> your application >> Mappings >> Okta to your application >> and, for the section Username is set by *your application*, press Override with mapping and add the following expression user.getInternalProperty("id").

Here is an example on how it would look like when previewing the assertion:

1 Like

Hi @dragos,

Thanks a lot for your reply!
Do you know if it is possible to get also GSuite user ID provisioned by Okta this way?
We have to match a user logged in via Okta and GSuite resources corresponding to that user (we provide access to). Checking just an email seems to be insecure as anyone can create such a formal identity in 3rd party IDP or even Okta directly.
Any ideas on that?