Send Comma-Separated Group Roles in Okta SAML Attribute Statements
Last Updated:
Overview
Some service providers require multiple group values in a single Security Assertion Markup Language (SAML) attribute be sent as a comma-separated list rather than multiple separate attribute values.
Configure Okta to send group names in this format for Okta Integration Network (OIN) or custom SAML applications using an expression constructed using Okta Expression Language (OEL). When configured correctly, the SAML assertion outputs the groups in a single string.
For example: Engineering, Finance, Support.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Okta Expression Language (OEL)
- Okta Integration Network (OIN) applications
- Security Assertion Markup Language (SAML) applications
Solution
How are group IDs identified in the Okta Admin Console?
Navigate to Directory > Groups in the Okta Admin Console and extract the required group IDs from the URL bar by following these steps.
- In the Okta Admin Console, go to Directory > Groups.
- Click the group name you want to include.
- Copy the group ID from the browser URL bar.
- NOTE: Okta group IDs always start with "00g" followed by alphanumeric characters (for example, 00g1a2b3c4d5e6f7g8hi).
- Record the required group IDs.
How is the expression added to the SAML application?
Edit the legacy configuration in the SAML application sign-on settings and input the expression with the specific group IDs by following these steps.
- In the Okta Admin Console, navigate to Applications > Applications.
- Select the SAML application.
- Choose the Sign On tab.
- Scroll to the Show legacy configuration section and select Edit.
- Enter the attribute name expected by the service provider in the Name field.
- The Name Format field can be left unspecified unless specified by the service provider.
- Enter the following expression in the Value field:
String.join(",",getFilteredGroups({"<group1_ID>","<group2_ID>","<group3_ID>"}, "group.name", 100))
Replace the group ID parameters with the actual group IDs recorded in the How are group IDs identified in the Okta Admin Console? section. The "group.name" parameter sends the group display names. To send group IDs instead, change "group.name" to "group.id" in the expression. Only users assigned to the specified groups will have values in this attribute.
How is the SAML assertion previewed and tested?
Access the advanced SAML settings within the application's General tab to preview the SAML assertion and verify that the comma-separated group roles are being sent by following these steps.
- In the Okta Admin Console, navigate to Applications > Applications.
- Select the application, and choose the General tab.
- Scroll to SAML Settings, select Edit, and choose Next.
- In the Configure SAML section, select Show Advanced Settings.
- Select Preview the SAML Assertion.
- NOTE: The application must be assigned to the admin user logged in and testing for the preview to function correctly.
Alternatively, the output can be verified using a SAML tracer tool.
