SAML Single Sign-OnSAML Single Sign-On
Try For Free

Authentication with Okta SSO and User Sync after a user was renamed in Okta

Prerequisites

  • SAML SSO and a User Sync connector for Okta

  • Jira, Confluence or Bitbucket (as User Sync is only available for these three currently)

Problem

Once a user is renamed in Okta, the NameID sent via SAML response still holds the old name.
That remains the case, until the Update Now button is pressed in the application for SSO on Okta (see screenshot below).
User Sync is also retrieving the new username without any problems, because it is using the Okta API.
Okta is planning to improve this in the future, until then it is rather inconvenient and can lead to a lot of manual effort and support tickets in large environments.

image2019-9-20_9-56-45.png

Solution

Adding an additonal attribute in Okta pulling the username will always contain the new username, without the need to push the above button.
With some reconfiguration in the SAML SSO app, renaming users won't cause problems.

Add the additional Okta attribute

  • Navigate to your Okta application created earlier, when you setup SSO with Okta and Usersync as described here

  • click on the general tab and the edit button in the SAML Settings section

image2019-9-20_10-10-37.png

  • click Next on the first screen and proceed to the Configure SAML screen

  • in the Attribute Statements (Optional) section, add an attribute with a name oktaUserName and map its value to user.login

    • Name format can be left unspecified

image2019-9-20_10-15-4.png

  • click on next and then finish to complete the changes

Adjust the SAML SSO configuration

  • head over to the configuration page of the SAML SSO app in Jira, Confluence or Bitbucket and select your Okta IdP configuration

  • make sure Basic settings/ Authentication Attribute is set to USERNAME

  • scroll down to User ID Transformation and uncheck The IdP's NameID Attribute Matches the User IDs in Jira

  • enter oktaUserName as User ID Attribute:

    image2019-9-20_10-24-26.png

  • scroll down to User Creation and Update and make sure that User Update Method is set to Update with UserSync-Connector

    • if you setup Okta with User Sync according to our tutorial as described here this would be the case already

    • if not, adjust the settings accordingly

  • a bit further below in User Creation and Update from UserSync-Connector, make sure the UserSync-Connector is set to the Okta one

  • enter oktaUserName as the Lookup Attribute again

    image2019-9-20_10-40-0.png

     

  • save the settings and conduct a test in an incognito browser window, after renaming one of your users already in Jira, Confluence or Bitbucket in Okta



This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other