Set NameID to EmailAddress while logging in with Unique ID

Questions SAML
1

Our system requires the NameID attribute to be populated with the user’s email address. However, users must authenticate using their Unique ID.

Question: How can we configure the Okta to use the Unique ID for login but return the email address in the NameID field?

...
...
...
        <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"><strong>123456789</strong></saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="123"
                    NotOnOrAfter="2026-01-06T19:37:26.484Z"
                    Recipient="https://authn.test.com/sso/saml/acs/test" />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2026-01-06T19:27:26.484Z"
            NotOnOrAfter="2026-01-06T19:37:26.484Z"
            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:AudienceRestriction>
                <saml2:Audience>urn:test:sso:saml:test</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2026-01-06T13:26:48.304Z"
            SessionIndex="asd"
            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>
2

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.