Since i moved authentication from LDAP to SAML, $SPLUNK_HOME/etc/users has a bunch of new email@example.com directories (the old username directories are still there). What's the best way (migrating the contents of username to firstname.lastname@example.org? or changing a setting so username settings go back to how they were? something else?) to fix this?
I've had the same issue as you when I changed the authentication from LDAP to SAML.
My solution was to reassign the Knowledge Objects to the new naming schema because it was only for a couple of users.
I don't know how Okta works but it's generally possible for IDPs to change the way, a username is send to Splunk.
Maybe the Okta Support can help you changing the transfered username or you reassign the Knowledge Objects manually.