bjgjo (bjgjo) asked a question.
I'm looking to migrate a SAML app from ADFS to Okta, but seem to be running into an Okta limitation. The goal is to send group memberships as SAML attributes, but transform the values to include more than just the group name.
As far as I can tell, Okta's "group attribute statements" section lets me specify the attribute name and a filter to determine which groups to include, but no way to customize the attribute value--it is always the group name. In ADFS we likewise filtered groups based on a regex, then ran a RegExReplace on the values to tweak them as needed.
I thought of using the regular attribute statements section instead, where I could customize the values, but couldn't come up with a way to return and filter the user's group memberships, then regex replace on each.
Any suggestions?
When you configure a custom SAML app, there will be options for both "ATTRIBUTE STATEMENTS" and "GROUP ATTRIBUTE STATEMENTS". While there is a separate configuration item for these in the Okta interface, I believe they both add the same thing to the actual SAML assertion. Both are just attribute statements in the actual SAML assertion.
So given the configuration item for the groups does not allow transformation of the group names being sent, you might be able to use Okta's Expression Language in the "ATTRIBUTE STATEMENTS" section to get the desired values.
Linked below is the Okta Expression Language:
https:///developer.okta.com/reference/okta_expression_language/
Check out the section on group functions. The following example of a function worked for me:
isMemberOfGroupName("Everyone") ? "Everybody" : "Nobody"
This function checks to see if a user is a member of the "Everyone" group. If they are, it sends a transformed value of "Everybody". If they are not a member of the group, it would send "Nobody". So you could use this very function with a real group name instead of the "Everyone" group and maybe just make it null, instead of "Nobody" when the condition resolves to false.
Don't know your environment, but you may need me clever expressions.
Thanks for the response, Gabriel. If I had a small and defined set of groups I think that would work well. Unfortunately there could be an arbitrary number -- currently 35 and growing -- and one of the goals is that an Okta admin need not be involved when a new group is needed. As built years ago with ADFS the application owner can simply create a new source group with a naming prefix, and define a corresponding role in the downstream application. Trying to avoid two steps backward here but may not be possible.
@Role dddugan IT Services, I have exactly same requirement. Did you find any solution that fulfill your requirement ?