<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Sending SAML Attribute Based on AppUser Attribute Using Group Attribute Type
Jun 9, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

This article describes how to send Secure Assertion Markup Language (SAML) attributes using a custom AppUser attribute using the Group attribute type without relying on the Okta User Profile to store the information.

 

This prevents violating the Attribute Statement Character Limit as the Value field will be populated with a variable referencing the application profile, while the actual mapped value (longer than the 1024-character limit) can be populated at the group level.

Applies To
  • Secure Assertion Markup Language (SAML) 2.0
Solution

Sending SAML attributes using a custom AppUser attribute with a Group attribute type. Group attribute type will allow sending a value for every user that is assigned to a group under the Assignments tab.

  1. Navigate to Directory > Profile Editor > Users > click on the application's name.
  2. Click on + Add Attribute
    add_attribute
  3. Select the desired Data type. The string data type would be for one value, while the string array would be for multiple values.
    Data type 
  4. Enter the desired Display name and Variable name.
    Attribute configuration 
  5. (Optional) Selecting Define enumerated list of values will allow the selection of pre-populated attributes. Without this option, the attribute will need to be populated manually.
    Define enumerated list of values 
  6. Set the attribute type to Group.
    attribute type 
  7. Navigate to the application's General tab and then SAML Settings > Edit > Next (General Settings) > SAML Settings > Show Advanced Settings.
    Show Advanced Settings 
  8. Add an attribute statement.
    • In this example, the role is the attribute name that will be sent in the SAML Response, and appuser.role will be the variable sent for the attribute value based on what is configured in the subsequent steps.
      • appuser references the Application User Profile for this specific application.
      • role references the custom attribute created in the previous steps.
        attribute_statement 
  9. Navigate to the Assignments tab and assign a group by clicking on Assign > Assign to Groups > search for the desired group and click Assign.
    assign to group  
    assign to groups 
  10. Enter the wanted value to be sent as the attribute value for the group.
    group2
  11. Test the login and check the SAML Response to ensure it is sending the expected attribute name and attribute value.

<saml2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >Admin</saml2:AttributeValue>





Related References 



 
Recommended content
Still looking for help?
Loading
Sending SAML Attribute Based on AppUser Attribute Using Group Attribute Type