<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Remove Substring from Group Names in OpenID Connect Claims
Oct 27, 2023
Okta Classic Engine
API Access Management
Overview

This article describes how to remove substring from group names in OpenID Connect claims.

Applies To
  • OpenID Connect
  • API Access Management
Solution

In several use cases, there are requirements to send groups to OpenID Connect-enabled applications but also remove substring that the groups might have.

For example, in a fictive scenario, in Okta, an administrator would have "OIDC-app-Admin", "OIDC-app-Employee", and "OIDC-app-Customer" Okta groups, but the application will only accept "Admin", "Employee", and "Customer" groups that would be treated as roles.

In order to send the correct group claim to the application, the following steps will need to be taken:

  • If the application uses a custom authorization server created via API Access Management:
    • Navigate to Admin > Security > API > Authorization Serversthe authorization server that the application uses > Claims  (or Admin > API > Authorization Servers > the authorization server that the application uses > Claims  if using the Developer Console interface)
    • Add a new claim with the following configuration:
      • Name: roles (or how the application is expecting the group membership claim)
      • Include in token type: Access Token (or in the ID token, depending on where the application is expecting the group membership claim)
      • Value type: Expression
      • Value: Arrays.flatten(String.replace(Arrays.toCsvString(Groups.startsWith("OKTA","OIDC-app-",100)),"OIDC-app-", ""))
      • Disable claim: (leave unchecked)
      • Include in: Any scope (or in a particular scope, depending on the requirements)
  • If the application uses the Okta authorization server
    • Navigate to Admin > Applications > your OpenID Connect Application > Sign On > OpenID Connect ID Token (if the section is not visible, please hover over Developer Console on the top left side of the screen and select Classic UI)
    • Select Edit and configure the section's group claim as follows:
      • Group claim type: Expression
      • Groups claim expression: 
        • first field: roles (or how the application is expecting the group membership claim)
        • second field:  Arrays.flatten(String.replace(Arrays.toCsvString(Groups.startsWith("OKTA","OIDC-app-",100)),"OIDC-app-", ""))

The expression performs the following steps:

  1. Retrieves all the groups that start with "OIDC-app-"
  2. Converts the array of groups into a string
  3. Replaces every occurrence of "OIDC-app-" with ""
  4. Converts the string back to array.

 

Recommended content

Still looking for help?
Loading
How to Remove Substring from Group Names in OpenID Connect Claims