<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00009hMJ3uSAGOkta Classic EngineAdministrationAnswered2021-07-21T21:22:54.000Z2020-10-15T20:07:45.000Z2020-10-27T23:42:07.000Z

ScottS.89055 (Customer) asked a question.

October 15, 2020 at 8:07 PM
Send SAML attribute if user is a member of a certain group, don't if not

Is it possible for me to send a particular SAML attribute if a user is a member of a particular group, and omit it if not? If it is possible, how do you implement it?

 

I am working with an SP that will automatically provision new and update existing users based on the attributes sent in the SAML assertion. This includes first name, last name, and email address. Additionally it also includes the ability to automatically grant the admin role if you send the "admin" attribute with a value of "true".

 

If you don't want to provision the admin role, the SP wants you to omit the admin attribute the assertion. Is it possible to dynamically send this attribute depending on group membership? If so, how?

  • 4 answers
  • 2.04K views

  • User15978384364548105606 (Customer)

    The app attribute can be named as App Role. This attribute can have values as "Admin" or "User".

    Similar to FirstName/LastName, you can map this attribute to the role attribute in the app.

    The app can handle access as received in the SAML assertion.

    Hope this helps.

    Selected as Best

  • User15978384364548105606 (Customer)

    Hi Scott, One way is to create a custom attribute in the user's Okta profile and set it to the required role.

    You can map this custom attribute in the SAML app as per your requirement..

  • ScottS.89055 (Customer)

    I believe I understand setting the custom attribute on the user profile; however, can you please explain how to pass this custom attribute in the SAML assertion only in cases where the attribute is present? Is this some sort of advanced configuration or expression I need to set somewhere? If so, where, and how?

  • User15978384364548105606 (Customer)

    The app attribute can be named as App Role. This attribute can have values as "Admin" or "User".

    Similar to FirstName/LastName, you can map this attribute to the role attribute in the app.

    The app can handle access as received in the SAML assertion.

    Hope this helps.

    Selected as Best

  • sandeepk.84743 (Wipro Technologies)

    Hi Scott,

     

    As mentioned by @User15978384364548105606 (Customer)​  also, create a custom attribute say "AppRole" inside the profile editor of your application. you can make it as required attribute for all the users. Now you need to define the mapping of this attribute from the user attributes. OKTA will assume that this attribute will come from your user directory.

    Secondly, inside the SAML assertion attribute statement, similar to user.firstName & user.LastName, you can pass the attribute as user.AppRole. while sending the assertion to SP, OKTA will calculate the value dynamically & include that in the SAML assertion. Use the SAML tracer to validate it.

    Expand Post
This question is closed.
Loading
Send SAML attribute if user is a member of a certain group, don't if not