This article explains how to use the Okta Expression Language to pass a group name with a prefix in a SAML assertion for a custom application.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Custom SAML Applications
- Okta Expression Language
An administrator is configuring a custom SAML 2.0 application in Okta. The requirement is to send the user's group memberships in a SAML attribute, but only include the groups that are relevant to that specific application. All of the application-specific groups follow a consistent naming convention (for example, all groups start with the prefix AppName_).
By default, without a filter, Okta may be configured to send all of a user's groups, which is not desirable for security and application performance reasons. Can use user.getGroups function within the Okta Expression Language.
Ensure all groups relevant to the application follow a consistent naming convention. For example, if the application is "Workday," all associated groups in Okta should be named starting with a prefix, like Workday_Admins, Workday_Finance, and Workday_Users.
-
Go to the custom SAML application and select the Sign On tab.
-
Click Edit.
-
Add an Attribute statement with the following expression:
user.getGroups({'group.profile.name': '<text_goes_here>', 'operator': 'STARTS_WITH'}).![profile.name]
This can also be achieved by adding statements under the Group attribute, as shown below.
