For some reason Okta SAML assertion returns user email as NameID even when “Persistent” type is selected.
User email is not really an immutable property and can be renamed for example. So we need a more “persistent” user ID instead like the Okta user ID (which is BTW correctly returned by OpenID connector).
Sorry, can you please clarify whether you mean “Application username” dropdown?
Setting it to “okta username” didn’t help.
I still don’t see userID similar to this one (00u25f75zPX9RN32c4x6) anywhere …
Please navigate in your Okta administrative dashboard to Users/Directory >> Profile Editor >> your application >> Mappings >> Okta to your application >> and, for the section Username is set by *your application*, press Override with mapping and add the following expression user.getInternalProperty("id").
Here is an example on how it would look like when previewing the assertion:
Thanks a lot for your reply!
Do you know if it is possible to get also GSuite user ID provisioned by Okta this way?
We have to match a user logged in via Okta and GSuite resources corresponding to that user (we provide access to). Checking just an email seems to be insecure as anyone can create such a formal identity in 3rd party IDP or even Okta directly.
Any ideas on that?