<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008OKuGWSA1Okta Classic EngineSingle Sign-OnAnswered2018-09-28T11:01:47.000Z2018-09-25T11:49:38.000Z2018-09-28T11:01:47.000Z

LukeA.11986 (Customer) asked a question.

September 25, 2018 at 11:49 AM
Looking for advice on creating a attribute based permission system within Okta

I am trying to create a SSO app using SAML authentication with Okta. I have gotten to the stage where the app can successfully authenticate Okta users and access the information in the SAML assertion - groups and user attributes.

 

Our cloud based app uses an attribute based access control system to define what a user can access and their personal configuration - this is done by an admin and not on a user level. We have UIs in place for an admin who logs into our system to set this up, however we would prefer a method of doing so strictly through Okta or a transitory app that requires an Okta authentication to then populate Okta automatically with the correct configuration.

 

I am looking for advise on what the best methodology would be to implement such a system into Okta, as a role based system or simply using group names wouldn't be granular enough. The values of permissions are not fixed and vary on a tenant by tenant basis, i.e skill: 423, 532, 323, where these skill ids would only exist for the one tenant and not another.

 

An ideal system would be where a group would be created in Okta by a transitory system, on the SP side, which would have custom attributes attached to that group that could be retrieved via an API call or the SAML assertion from Okta when a user logs in.

 

Any help in this would be greatly appreciated.

  • 2 answers
  • 964 views

  • silviu.muraru1.494609885910873E12 (Okta, Inc.)

    Hi,

     

    My name is Silviu and I am a Technical Support Engineer (Tier II) at Okta.

    The level of complexity you demand cannot be achieved by our SAML templates or the SAML Integration Wizard into the Okta Admin Console. Still, I think that's entirely possible with us if you will submit your app along with all the necessary information on the link below:

    https://oinmanager.okta.com/

    From there you will enter a 4-phase cycle in which you'll communicate directly with our Product Team, which will provide some Run-Scope tests for your app to pass and then proceed with its integration into our OIN. Please note that the app can be requested to be Public (visible in OIN by all orgs) or Private (visible to only the orgs you mention).

    For any further assistance please open up a case with Okta Support and get all the necessary pieces of information, if not provided yet.

     

    Wish you all the best in your work, Luke!

     

     

    Thank You,

    Silviu Muraru

    Technical Support Engineer | Okta Inc.

    Expand Post
    Selected as Best

  • silviu.muraru1.494609885910873E12 (Okta, Inc.)

    Hi,

     

    My name is Silviu and I am a Technical Support Engineer (Tier II) at Okta.

    The level of complexity you demand cannot be achieved by our SAML templates or the SAML Integration Wizard into the Okta Admin Console. Still, I think that's entirely possible with us if you will submit your app along with all the necessary information on the link below:

    https://oinmanager.okta.com/

    From there you will enter a 4-phase cycle in which you'll communicate directly with our Product Team, which will provide some Run-Scope tests for your app to pass and then proceed with its integration into our OIN. Please note that the app can be requested to be Public (visible in OIN by all orgs) or Private (visible to only the orgs you mention).

    For any further assistance please open up a case with Okta Support and get all the necessary pieces of information, if not provided yet.

     

    Wish you all the best in your work, Luke!

     

     

    Thank You,

    Silviu Muraru

    Technical Support Engineer | Okta Inc.

    Expand Post
    Selected as Best

  • mike.davie1.5312945692819849E12 (Customer First Programs)

    Hello Luke,

     

    Thanks for posting your inquiry in Okta Community Portal.

     

    If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer."

     

    Thank you,

    Mike Davie

    Okta Help Center

    Expand Post
This question is closed.
Loading
Looking for advice on creating a attribute based permission system within Okta