There can be situation when you will need to update UPN for your users in domain. In my situation this change helped to solve my SAML SSO integrations via OKTA with other apps.
My internal [easyazon_link identifier=”1449320023″ locale=”US” tag=”wn0d5-20″] Active Directory [/easyazon_link] domain is corp.COMPANY.com and short COMPANY, in our SSO provider OKTA this domain gets translated to COMPANY.com but it is not good solution as sometimes even when you modify user profile in OKTA for [easyazon_link identifier=”1491937017″ locale=”US” tag=”wn0d5-20″] SAML [/easyazon_link] insertion to show user_login as fName.LName@COMPANY.com … OKTA will push in [easyazon_link identifier=”3659955388″ locale=”US” tag=”wn0d5-20″] SAML [/easyazon_link] insertion fName.LName@corpCOMPANY.com. This is a mismatch and causing your SAML integration to fail. Specifically I have found this case to be with few SaaS based solutions such as [easyazon_link identifier=”178862887X” locale=”US” tag=”wn0d5-20″] Netsuite [/easyazon_link], [easyazon_link identifier=”B01B40NCZY” locale=”US” tag=”wn0d5-20″] Slack [/easyazon_link], OneTrust, AnaPlan and others.
Easy fix to this is make sure that your SSO provider sends correct information in the SAML and you can fix it easily with changing UPN for your users. You can change UPN for individual users, group of users or the best it is to change for all users in domain. This way it is done and your SAML integration will work like charm 🙂
Here is [easyazon_link identifier=”B00ARN9MEK” locale=”US” tag=”wn0d5-20″] PowerShell [/easyazon_link] script to change the UPN for all users in USERS:
Import-Module ActiveDirectory $oldSuffix = "corp.COMPANY.com" $newSuffix = "COMPANY.com" $ou = "CN=Users,DC=corp,DC=COMPANY,DC=com" $server = "DC1SRV" Get-ADUser -SearchBase $ou -filter * | ForEach-Object { $newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix) $_ | Set-ADUser -server $server -UserPrincipalName $newUpn }
Once run, your user will get update and listed UPN also as COMPANY.com in Active Directory.