<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Filter Groups with Regex in Okta
Dec 11, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

This article explains how to use Regex filters in Okta to send specific groups to an application. It includes an example of how to send groups to which a user is assigned using a Regex filter.

Applies To
Cause

The user has an application that requires a group attribute statement, where the filter needs to limit the results to a set of groups that use a particular prefix, plus one individual group without the prefix.

Solution

To send specific groups to an application using a regex filter, follow these steps:

  1. Access the Okta Admin Console. 
  2. Select the application that needs the group attribute statement.
  3. Click on the Sign On tab, and select Edit in the Advanced Sign-On Settings section.
  4. Scroll down to the Group Attribute Statements section, and click Add Another.
  5. Enter a name for the group attribute statement.
  6. In the Matches Regex field, enter the regex filter that matches the groups intended to be sent to the application should be entered.
  7. For example, to send groups A, B, C, and D, use the following regex filter:  
    .*groupA.*|.*groupB.*|.*groupC.*|.*groupD.*
  8. Save the changes to the group attribute statement and assign it to the application.

To send all groups that a user is assigned to, use the following regex filter: 

.*

When using regex filters in Okta, the dot character (.) must be used to match any character, and the pipe character (|) to separate multiple regex patterns. Also, ensure that the regex pattern matches the group names exactly as they appear in Okta.Configure SAML Attributes 

Alternatively, when there is no need to send specific groups, the following expression can be used to send multiple groups with the same attribute that start with either “Group” or “Other_Group” (replace these values with the intended group names): 

(Group+(.))|(Other_Group+(.)))

NOTE: The Regex needs to be Matches, not StartsWith. The resulting values will behave as a StartsWith condition.

Below explains the behaviour of the Group Filter in a Group Attribute Statement when the regular expression .* is used in SAML integrations:

  • When the regular expression .* is entered in the Group Filter of a Group Attribute Statement, the assertion includes all groups assigned to the user.

  • This selection comprises both native Okta groups and imported Active Directory groups.

  • If only Active Directory groups are required, enter a regular expression that matches a specific naming convention, for example, AD_.*.

    • Or use ^(?!groupName$).* - This means "Match everything except the exact string groupName." This will instantly strip that group from the assertion for all users. Replace the groupName with the group that should be excluded.

Recommended content

Still looking for help?
Loading
How to Filter Groups with Regex in Okta