Need to customize SAML assertion attribute value for memberof

0D51Y00006ODf67SADOkta Classic EngineSingle Sign-OnAnswered2023-02-08T04:29:44.000Z2019-06-27T15:08:27.000Z2019-07-11T20:10:26.000Z

00ud5pjqh4baHDBT3351.5529153823258633E12 (Customer) asked a question.

Edited July 11, 2019 at 5:18 PM

Any idea on SAML assertion attribute value for memberof value can be placed in single string as below:

Explanation: Let's say we have 3 groups (test-app1, test-app2 and test-app3), If an user access the application then okta should filter group starts with "test-" and get group details starts with "test-" for specific user in SAML assertion as below:

Attribute Name="memberof"

Attribute Value="test-app1,test-app2,test-app3"

Any help would be appreciated with quick response.

Thanks

6ukch and 00ud5pjqh4baHDBT3351.5529153823258633E12 like this.

phoebe.venkat1.5499156810663616E12 (Okta)
7 years ago
Can anyone help Raiz out?
Expand Post
00ud5pjqh4baHDBT3351.5529153823258633E12 (Customer)
7 years ago
I will add some more to the above explanation:

This is for group filter function and it needs expression. Using the expression can we customize member of value in to single string?

Application: Sharepoint
Protocol: SAML2
Groups example : starting with "test-"

Sample result should be:

Attribute Name="memberof"
Attribute Value="test-app1,test-app2,test-app3"

Expand Post
00ufqy4mxkCMrc2vn0h1.5318579510676252E12 (Optiv)
7 years ago
Where are you pulling/creating that memberof attribute? AD?
Expand Post
00ud5pjqh4baHDBT3351.5529153823258633E12 (Customer)
7 years ago
True source is AD but Okta has UD right(Sync from AD), so it can be UD only.

Let me explain with an example, If we are integrating sharepoint app then we get group filter, group filter works with Okta expression language. So can we filter groups starts with "test-" and if user is member of test-app1,test-app2, test-app3 then they need to be align in SAML response as below:

Attribute Name="memberof"
Attribute Value="test-app1,test-app2,test-app3"

A sample expression can help me if this is possible.
Expand Post
00ud5pjqh4baHDBT3351.5529153823258633E12 (Customer)
7 years ago
Can someone help on this ? Ad did not get answer to my query.
Expand Post
00ufqy4mxkCMrc2vn0h1.5318579510676252E12 (Optiv)
7 years ago
To confirm, you are using SAML to federate Okta with SharePoint, not WS-FED? I haven't played with it in awhile, but the WS-FED template does allow for you to name the response and then do the filter. https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Configure_Okta%20Template_WS_Federation.htm
Expand Post
00ud5pjqh4baHDBT3351.5529153823258633E12 (Customer)
7 years ago
It is not WS-FED, It will be a normal SAML2 federation.
Expand Post
00ud5pjqh4baHDBT3351.5529153823258633E12 (Customer)
7 years ago
Concern is not only to filter groups, filtered groups(test-*) say test-app1, test-app2 and test-app3 should come in single attribute statement with comma separated like below:

Attribute Name="memberof"
Attribute Value="test-app1,test-app2,test-app3"
Expand Post

This question is closed.

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies