Can you pass group membership as part of the SAML assertion to the SP ? Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmh3qaa&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Angela CragheadAngela Craghead 

Can you pass group membership as part of the SAML assertion to the SP ?

I have a single app that uses four different roles. We have these roles set up as AD groups. Can you pass group membership as part of the SAML assertion to the SP ? This is a custom application.

Thanks!
Eugen DumitruEugen Dumitru (Okta, Inc.)
Hi Angela,

For a custom Saml application you can add "Group Attribute Statements" and pass them through the assertion. 
You can add them by going to Admin > Applications > Your Application > General > Click Edit next to "SAML Settings" > Click Next and now add the attribute on the "Group Attribute Statements (optional)".

Thank You,

Eugen Dumitru
Technical Support Engineer
Okta Global Customer Care
Angela CragheadAngela Craghead
Hi Eugene, Is there any documentation on How to complete the fields? For example what value is used in the Name field? The filter appears to be your group information specifically. Best Regards, Angela Craghead Guardian Industries Corp. | Guardian Central 2300 Harmon Rd. Auburn Hills, MI 48326 P. 248.340.0013 | acraghead@guardian.com
Adam BergstromAdam Bergstrom
Name is the attribute name you wish to reference. "group" or "role" is common, but it depends on what your service provider is looking for. If you had a bunch of roles as "appname-role" in AD and you need to send that value as "role" you would enter in "role" on the left, and "appname" on the right.
 
Daniel HillyerDaniel Hillyer
More specifically...  We have a number of applications that require all the AD groups a user is a member of in the assertion.   Given the filter requirement/option it doesn't seem possible to pass all of the groups a user is a member of using a single function or statement.