Comma Separated Group Attribute Statement to SP Skip to main content
https://support.okta.com/help/answers?id=9060z00000078ivqai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Eric BraunschweigEric Braunschweig 

Comma Separated Group Attribute Statement to SP

Hello,

I'm trying to pass up to three groups in my assertion for an app that offers varied access based on the group(s). The group attribute statement works flawlessly when only one group is being passed, however the SP is looking for a comma-separated list of groups if there are 2 or more. Rather than passing each group in separate tags (see below), is there a way to pass two groups in the same attribute value tag separated by commas?
 
<saml2:Attribute Name="GroupID"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             > <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >Group3</saml2:AttributeValue> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >Group1</saml2:AttributeValue>
</saml2:Attribute>
Appreciate the help!

Eric
 
BJ LilloBJ Lillo (Okta, Inc.)
You could use a combination of functions to make that happen. First, you will need to return an array of groups with the appropriate filtering using one of the following functions:
Groups.getFilteredGroups
Groups.contains
Groups.startsWith
Groups.endsWith

Then you'll convert that array to a comma separated string using:
Arrays.toCsvString(array)

 
Eric BraunschweigEric Braunschweig
Thank you for the response, BJ. Where am I inputting these functions? Profile Editor for the specific app, or within the SAML wizard for the app?
Avi Duthaluri (Admin)Avi Duthaluri (Admin)
Eric/BJ,

I am also trying something like this, can you please do let me know if this worked, and exactly what needed to be done to make this work.

Thanks,
Avi
Eric BraunschweigEric Braunschweig
After much Googling, I came across a hack of a solution:
String.join(",", isMemberOfGroupName("Group1") ? 'Group1' : '', isMemberOfGroupName("Group2") ? 'Group2' : '', isMemberOfGroupName("Group3") ? 'Group' : '')

It ended up passing Group1,,Group3 but the service provider accepted the blank for not being in group 2 (example).

Here's the post that gave me the resolution: https://support.okta.com/help/answers?id=9062A000000bm4LQAQ