<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7VLnSANOkta Classic EngineOkta Integration NetworkAnswered2024-04-15T12:53:45.000Z2017-06-19T17:17:31.000Z2018-06-25T16:09:04.000Z

DavidT.14244 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:20 AM
SAML GROUP ATTRIBUTE STATEMENTS
Hi All,

 

I am trying to pass a specific Key/Value pair for SAML Response.

 

I have a couple groups: Test-Admin, Test-Restricted Admin, etc.

My user is part of a group Test-Admin, my goal is to send the key/value pair of role : Admin.

Another user is part of Test-Restricted Admin, his key/value pair should be role : Restricted Admin.

 

I tried using the GROUP ATTRIBUTE STATEMENTS:

Name: role

Filter: regex

Value: Test-(.*)

 

This partially works as it does set the SAML Attribute, but i was looking for the specific section, not the entire group name:

saml2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Test-Admin </saml2:AttributeValue> </saml2:Attribute>

 

Any help is appreciated. 

 

Thanks
  • 2 answers
  • 12.95K views
bogdan.radu1.5240784598154304E12 likes this.

  • Adam B (Customer)

    David, 

     

    The group attribute statement sends the entire group name along. You'd need a custom function in the attribute statement, or in the profile editor. If you have just two roles, create a custom attribute for that app, and map isMemberOfGroupName("Test-Admin") ? "Admin" : "Restricted Admin" to that value in the profile editor.
    Expand Post

  • 5wnjw (5wnjw)

    Hi Adam

     

    Is there a way to do it dynamically, and not create user attributes for each group name?
This question is closed.
Loading
SAML GROUP ATTRIBUTE STATEMENTS