When configuring an Okta group rule to automatically add users based on the contents of a string array attribute, such as proxyAddresses, the Arrays.contains function fails to return true when the search value is only a substring of an array element. This occurs because the Arrays.contains function in the Okta Expression Language (OEL) performs an exact, case-sensitive match against each element in the array rather than a substring match. Resolve this issue by creating a supplementary string attribute and using the String.stringContains function, or by performing an exact match against a known value.

The group rule evaluates to false for all users, even when those users have entries in the array that contain the substring (for example, SMTP:user@domain.com). Consequently, Okta adds no users to the target group.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Group Rules
• Okta Expression Language (OEL)

The Arrays.contains function in OEL performs an exact, full-element match against each element in the array. It does not perform substring or partial matching, and it is case-sensitive. The function returns true only when the search value exactly equals an element in the array, character-for-character and case-for-case. 

Additionally, group rule conditions only support a limited subset of OEL functions (String, Arrays, and user expressions). Group rule conditions do not support iteration and collection projection functions that allow a substring check across each element of an array. As a result, there is no native way within a group rule to evaluate whether any element in a string array contains a given substring.

Because Arrays.contains requires an exact, case-sensitive match, and group rules do not support iteration over array elements. Use one of the following options to resolve the issue.

How is a supplementary string attribute used for substring matching?

Create a supplementary string attribute and map the primary address to evaluate the substring:

1. Navigate to Directory > Profile Editor > Okta User (default).
2. Add a new custom attribute with the string data type (not string array), for example, primarySmtpAddress.
3. Populate this attribute via profile mapping from the upstream source of truth (Active Directory, Entra ID, or another source), mapping the primary SMTP address only.
4. Create the group rule using a string function.
   • For Example:

     String.stringContains(user.primarySmtpAddress, "smtp")

   • Or a more specific check, such as:

     String.stringContains(user.primarySmtpAddress, "@domain.com")

How is an exact match against a known value configured?

Use Arrays.contains when matching a specific, fully-qualified value that is known in advance by applying the following expression:

Arrays.contains(user.proxyAddresses, "SMTP:specificuser@domain.com")

NOTE: This option is only practical for targeting a specific user or a small, known set of values. It is not suitable for rules that need to apply broadly across the directory, since every user has a different email address.

What are additional considerations for Okta Expression Language in group rules?

Review the following additional considerations when working with OEL in group rules:

• OEL is case-sensitive for both attribute names and values. Ensure the variable reference (for example, user.proxyAddresses) matches the exact casing defined in the Universal Directory schema.
• Group rule conditions only support String, Arrays, and user expressions. More advanced logic requires a supplementary attribute as described in the first option.
• Always use the Preview function in the group rule builder to validate expression behavior against known test users before activating a rule in production.

Related References

• Okta Expression Language overview guide