SAML GROUP ATTRIBUTE STATEMENTS Skip to main content
https://support.okta.com/help/answers?id=9062a000000xztcqaw&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
David TuDavid Tu 

SAML GROUP ATTRIBUTE STATEMENTS

Hi All,

I am trying to pass a specific Key/Value pair for SAML Response.

I have a couple groups: Test-Admin, Test-Restricted Admin, etc.
My user is part of a group Test-Admin, my goal is to send the key/value pair of role : Admin.
Another user is part of Test-Restricted Admin, his key/value pair should be role : Restricted Admin.

I tried using the GROUP ATTRIBUTE STATEMENTS:
Name: role
Filter: regex
Value: Test-(.*)

This partially works as it does set the SAML Attribute, but i was looking for the specific section, not the entire group name:
saml2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Test-Admin </saml2:AttributeValue> </saml2:Attribute>

Any help is appreciated. 

Thanks
Adam BergstromAdam Bergstrom
David, 

The group attribute statement sends the entire group name along. You'd need a custom function in the attribute statement, or in the profile editor. If you have just two roles, create a custom attribute for that app, and map isMemberOfGroupName("Test-Admin") ? "Admin" : "Restricted Admin" to that value in the profile editor.
Jason RossJason Ross
Hi Adam

Is there a way to do it dynamically, and not create user attributes for each group name?