<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jk4SABOkta Classic EngineAdministrationAnswered2024-03-25T10:56:20.000Z2016-07-28T00:15:22.000Z2019-08-24T19:52:21.000Z

IvanS.86122 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
How can a user get Application specific Roles assigned to their Profile
We've purchased the Okta Platform as the identity solution for our external customers but 

We are looking for the best way to assign APPLICATION specifc Roles to our users.

 

For Example:

Customer 1                       

Application 1                    

User Joe 1                        

>>Role:Analyst                     

-----

Customer 2

Application 2

User Mary

>>Role:Executive

 

Any thoughts will be appreciated!

 

  • 5 answers
  • 4.53K views

  • James Garvin - Okta (Okta)

    If you are talking about provisioning users into applications, if the application supports Okta Provisioning and you have purchased Provisioning for your Okta Org, you can provision users with certain attributes into the app.

     

    It is highly dependent on the app as to exactly how the user is provisioned and what attributes are provisioned.
    Expand Post

  • IvanS.86122 (Customer)

    James, thanks for the reply.

     

    Our applications are custom built in a variety of technologies; Java, .Net, Ruby, Django etc. We do NOT need to provision into to the applications but rather provide our custom built applications a data structure which in my example can tell the application, this is user Joe, for Application1 and for Customer1 and the Role he has is Analyst.

     

    After that, Okta ends its duty and the custom applications manages the mapping of a Role to specific functionality
    Expand Post

  • james.flores1.4616875318781074E12 (Okta, Inc.)

    Hi Ivan,

     

    This sounds like something you can do with a SAML assertion. If your applications will support this. You could build a SAML app (OKta) with a custom set of attributes and groups (roles) these attributes can pull from the Okta profile, then program your application to accept those fields via a SAML assertion and translate them into role assignments. 

     

    Example:

     

    Okta Profile Attribute: user.app1role

    Okta SAML app with custom attribute: <role> = user.app1role

    App: SAML <role> = Role

     

    This is typically done via provisioning (API calls from Okta) in apps such as 0365, Salesforce, Google Apps etc, rather than via a SAML assertion. The above example is a high level view but should give you a good start. 

    Expand Post

  • IvanS.86122 (Customer)

    James, thanks for the update but I am a little confused with your answer.

    So our applications are custom built therfore we can build in SAML support. Please confirm if I understand the proposal correctly. 
    1. A user profile is created in Okta with custom attributes representing roles. For exmaple: 
    2.  User.Profile.Application_name_1 =App1
    3.  User.Profile.Application_role_1 =Role1
    4. ---
    5.  User.Profile.Application_name_2 =App2
    6.  User.Profile.Application_role_2 =Role2
    7. ---
    8.  User.Profile.Application_name_3 =App3
    9.  User.Profile.Application_role_3 =Role3
     
    • The login flow then is that our custoim applications accept SAML and pull out the assertions that corospond to their application name and then make an API call to Okta to get the role info?
     

    I'm sure I miss undertood your concept because thsi does not seem corect. Would you mind expanding on your idea?

     

    Cheers- Ivan

     

     

     

     

    Expand Post

  • m9p5z (m9p5z)

    Hi,

    I am trying to accomplish exactly similar objective as described in this issue. I have a legacy 3 layer application. Privileges are controlled via roles and groups. Users are assigned to roles and groups and this information is stored in database.

    Backend has the onus of checking privileges based on userid. There is no single service/module which encapsulates authorization logic - meaning this implementation is spread across the backend layer and is thus hard to change. In this case, what options are available to translate roles/groups defined in Okta to what the application understands.

    Expand Post
This question is closed.
Loading
How can a user get Application specific Roles assigned to their Profile