About Custom Attribute Uniqueness Enforcement - Okta Documentation

Enforce uniqueness of custom attributes

You can enforce attribute uniqueness for custom attributes in the Okta user profile, such as employee identification number. Each user type can have a maximum of five unique attributes. You don't need to select the same set of attributes for each user type. For example, the five unique attributes that you declare for user profile A don't need to match what you declared for user profiles B, C, or D.

Unique attributes share a single namespace across all user types in an org. For example, suppose that user types A and B both contain the attribute ice cream and you identify it as unique in both profiles. If user type A has the value chocolate, then no other users of type A or B (or any other user type that's declared ice cream is unique) can have that value. To allow duplicates between unique attributes in different types, modify the attribute names to be slightly different. For example, ice creamA and ice creamB are tracked separately.

Non-unique attributes aren't tracked for uniqueness. Suppose that the attribute candy is unique in type E and isn't unique in type F. When one user of type E has the value caramel for candy, then no other users of type E can have that value. Conversely, any number of users of type F can have the value caramel for candy. This is because candy is unique in E but not in F, so the value of the candy attribute for type F users doesn't matter.

You can only enforce uniqueness in custom attributes in the Okta user profile. For example, suppose you're importing users from Active Directory or LDAP. Any attempt to import one or more users who would violate the uniqueness requirement, causes the import to fail for those users.

If you attempt to enter a duplicate value for a user profile custom attribute with a uniqueness restriction, a message appears indicating that the value already exists. You can't save your changes until you enter a unique value.

When you mark an existing custom attribute as requiring a unique value, Universal Directory performs a validation check to make sure that there are no existing duplicate entries. If you have significant user records, the validation can take some time.

When the validation completes, a status message on the Profile Editor page indicates the following details:

• the number of records checked
• the number of duplicates found
• the estimated time remaining

If duplicate records are found, the Restriction checkbox is automatically cleared. You need to resolve the duplicate values before applying uniqueness to the attribute.

Related topics

Enforce custom attribute uniqueness