This article clarifies whether the unified claims feature supports complex regular expressions (regex) for filtering groups.

• Okta Identity Engine (OIE)
• Group claims
• Regex

The new claims feature does not support complex regex matching within the user.getGroups function. The group.profile.name key only supports the following types of operations:

• Exact Match: Matches the exact group name.

user.getGroups({'group.profile.name': 'Admin-Group'}).![profile.name]

• Starts With:  Matches group names that begin with a specific string.

user.getGroups({'group.profile.name': 'Admin-.*'}).![profile.name]

For example, an expression like the one below is not supported for fetching all user groups that start with either Admin- or Service-.

user.getGroups({'group.profile.name': '^(Admin-|Service-).*'}).![profile.name]

The legacy group claims feature supports complex regular expressions (regex) matching.

To configure this, navigate to Security > API > Authorization Server > Claims and use a legacy group filter with the regex expression.

To use the new claims feature, create separate claims or combine multiple simpler expressions to match each prefix individually (for example, one for Admin- and one for Service-).

Related References

• Okta Expression Language
• Group functions