Our system requires the NameID attribute to be populated with the user’s email address. However, users must authenticate using their Unique ID.
Question: How can we configure the Okta to use the Unique ID for login but return the email address in the NameID field?
...
...
...
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"><strong>123456789</strong></saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="123"
NotOnOrAfter="2026-01-06T19:37:26.484Z"
Recipient="https://authn.test.com/sso/saml/acs/test" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2026-01-06T19:27:26.484Z"
NotOnOrAfter="2026-01-06T19:37:26.484Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AudienceRestriction>
<saml2:Audience>urn:test:sso:saml:test</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2026-01-06T13:26:48.304Z"
SessionIndex="asd"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>