If you are talking about provisioning users into applications, if the application supports Okta Provisioning and you have purchased Provisioning for your Okta Org, you can provision users with certain attributes into the app.
It is highly dependent on the app as to exactly how the user is provisioned and what attributes are provisioned.
Our applications are custom built in a variety of technologies; Java, .Net, Ruby, Django etc. We do NOT need to provision into to the applications but rather provide our custom built applications a data structure which in my example can tell the application, this is user Joe, for Application1 and for Customer1 and the Role he has is Analyst.
After that, Okta ends its duty and the custom applications manages the mapping of a Role to specific functionality
This sounds like something you can do with a SAML assertion. If your applications will support this. You could build a SAML app (OKta) with a custom set of attributes and groups (roles) these attributes can pull from the Okta profile, then program your application to accept those fields via a SAML assertion and translate them into role assignments.
Okta Profile Attribute: user.app1role Okta SAML app with custom attribute: <role> = user.app1role App: SAML <role> = Role
This is typically done via provisioning (API calls from Okta) in apps such as 0365, Salesforce, Google Apps etc, rather than via a SAML assertion. The above example is a high level view but should give you a good start.
James, thanks for the update but I am a little confused with your answer. So our applications are custom built therfore we can build in SAML support. Please confirm if I understand the proposal correctly.
A user profile is created in Okta with custom attributes representing roles. For exmaple:
The login flow then is that our custoim applications accept SAML and pull out the assertions that corospond to their application name and then make an API call to Okta to get the role info?
I'm sure I miss undertood your concept because thsi does not seem corect. Would you mind expanding on your idea?