This article describes how to receive both Application Groups (such as Active Directory Groups) and Okta Groups in OpenID Connect Claims.

• Directory Integration (for example, Active Directory, LDAP, Google Workspace)
• OpenID Connect (OIDC) application
• Okta Classic Engine

This video will show how to retrieve Active Directory and Okta Groups in OpenID Connect claims.

Step 1: Generate OEL Expression

• If there is only one Active Directory integration or there is a need to pull groups from any Active Directory, the term active_directory can be used as the app type variable name.
  • See below for the generic app types for other integrations.
    • Active Directory: `active_directory`
    • Google Workspace: `google`
    • LDAP: `ldap_sun_one`
  • If the integration type is not listed above, the app type variable is typically the value of the application variable for the first instance of a directory integration added to the org, see example below:

• Example expression if using App Type if the user is a member of the AD group and the Okta group:

Arrays.isEmpty(Groups.startsWith("active_directory","",100)) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",50),Groups.startsWith("active_directory","",50))

• Example expression if using the App Type if the user is a member if the user is a member of the AD group and the Okta group:

Arrays.isEmpty(Groups.startsWith("active_directory","",50)) ? Groups.startsWith("OKTA","",50) : Arrays.isEmpty(Groups.startsWith("OKTA","",50)) ? Groups.startsWith("active_directory","",50) : Arrays.flatten(Groups.startsWith("active_directory","",50),Groups.startsWith("OKTA","",50))

• If there are multiple Active Directory integrations and it is desired to only retrieve groups from one of them, navigate to Directory > Directory Integrations > select the desired directory integration > copy the integration app ID from URL. 

• Example expression if using App ID if the user is a member of the AD group and the Okta group: 

Arrays.isEmpty(Groups.startsWith("0oa********d7","",100)) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",50),Groups.startsWith("0oa********d7","",50))

• Example expression if using App ID if the user is a member if the user is a member of the AD group and the Okta group:

Arrays.isEmpty(Groups.startsWith("0oa********d7","",50)) ? Groups.startsWith("OKTA","",50) : Arrays.isEmpty(Groups.startsWith("OKTA","",50)) ? Groups.startsWith("0oa********d7","",50) : Arrays.flatten(Groups.startsWith("0oa********d7","",50),Groups.startsWith("OKTA","",50))

​​​​​​​

Step 2: Configure Group Claim

• If using the Okta authorization server:
  1. Navigate to Admin > Applications > OpenID Connect application > Sign On tab > OpenID Connect ID Token.
  2. Select Edit, switch Groups claim type to Expression, and, below, add a claim name (for example, "groups") and paste the expression generated above. 
• If using a custom authorization server
  1. Navigate to Admin > Security > API > Authorization Servers > select desired authorization server > Claims tab.
  2. Add a new claim with the following properties:
     • Name: groups (or any other name to identify the claim)
     • Include in token type: Access Token or ID Token
     • Value type: Expression
     • Value: the expression above that is also used in the Okta authorization server
     • Disable claim: leave unselected
     • Include in: Any scope

Once the claim is configured, any new JWT issued through the specific OpenID Connect application and authorization server will contain the group claim with both Active Directory groups and Okta groups.

 Related References

• Customize tokens returned from Okta with a Groups Claim | Okta Developer
• Okta Expression Language | Okta Developer
• Okta Groups or Attribute missing from ID Token
• Decode an ID Token for an OIDC app