How can a user get Application specific Roles assigned to their Profile Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0vpiak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Ivan SagerIvan Sager 

How can a user get Application specific Roles assigned to their Profile

We've purchased the Okta Platform as the identity solution for our external customers but 
We are looking for the best way to assign APPLICATION specifc Roles to our users.

For Example:
Customer 1                       
Application 1                    
User Joe 1                        
>>Role:Analyst                     
-----
Customer 2
Application 2
User Mary
>>Role:Executive

Any thoughts will be appreciated!

 
James GarvinJames Garvin (Okta)
If you are talking about provisioning users into applications, if the application supports Okta Provisioning and you have purchased Provisioning for your Okta Org, you can provision users with certain attributes into the app.

It is highly dependent on the app as to exactly how the user is provisioned and what attributes are provisioned.  
Ivan SagerIvan Sager
James, thanks for the reply.

Our applications are custom built in a variety of technologies; Java, .Net, Ruby, Django etc. We do NOT need to provision into to the applications but rather provide our custom built applications a data structure which in my example can tell the application, this is user Joe, for Application1 and for Customer1 and the Role he has is Analyst.

After that, Okta ends its duty and the custom applications manages the mapping of a Role to specific functionality   
James FloresJames Flores (Okta, Inc.)
Hi Ivan,

This sounds like something you can do with a SAML assertion. If your applications will support this. You could build a SAML app (OKta) with a custom set of attributes and groups (roles) these attributes can pull from the Okta profile, then program your application to accept those fields via a SAML assertion and translate them into role assignments. 

Example:

Okta Profile Attribute: user.app1role
Okta SAML app with custom attribute: <role> = user.app1role
App: SAML <role> = Role

This is typically done via provisioning (API calls from Okta) in apps such as 0365, Salesforce, Google Apps etc, rather than via a SAML assertion. The above example is a high level view but should give you a good start. 
 
Ivan SagerIvan Sager
James, thanks for the update but I am a little confused with your answer.
So our applications are custom built therfore we can build in SAML support. Please confirm if I understand the proposal correctly.
  1. A user profile is created in Okta with custom attributes representing roles. For exmaple:
    •  User.Profile.Application_name_1 =App1
    •  User.Profile.Application_role_1 =Role1
    • ---
    •  User.Profile.Application_name_2 =App2
    •  User.Profile.Application_role_2 =Role2
    • ---
    •  User.Profile.Application_name_3 =App3
    •  User.Profile.Application_role_3 =Role3
  2. The login flow then is that our custoim applications accept SAML and pull out the assertions that corospond to their application name and then make an API call to Okta to get the role info?

I'm sure I miss undertood your concept because thsi does not seem corect. Would you mind expanding on your idea?

Cheers- Ivan