4znjl (4znjl) asked a question.
I'm having trouble getting AD groups from OIDC claims.
I did the following tests based on the information here:
In the Okta OpenID Connect app, I tried setting the Groups claim expression to:
`Arrays.flatten(Groups.startsWith("OKTA","",100))` - returns all Okta groups
`Arrays.flatten(Groups.startsWith("OKTA","",50))` - returns all Okta groups
`Arrays.flatten(Groups.startsWith("OKTA","",5))` - returns no claims with error "The 'groups' user claim could not be evaluated" (??)
In Okta Admin, if I go Directory > Profile Editor > Directories tab, the single profile has a variable of `active_directory`, so I tried:
`Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("active_directory","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("active_directory","",100))`
And got empty claims with error:
"
The error message returned is:
=The 'groups' user claim could not be evaluated.
"
When I go to Directory > Profile Sources, there's a single 'Active Directory' source with a variable name of `corp.internal`, so I tried:
`Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("corp.internal","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("corp.internal","",100))`
And this returns all Okta groups. This would indicate to me that the `Groups.startsWith("corp.internal","",100)` actually returned something but it was empty.
Any help appreciated, thanks.
Hi,
For this type of questions I would recommend to check Okta dev forum, due to the nature of the case, and the error you received, it is very likely that the access to your Org is required to proper troubleshoot the issue. My recommendation would be opening a case with the dev team to troubleshoot further.
Hi Jurguen, ok I'll do that
In oder to get AD Groups you need to use active_drectory instead OKTA, also the Number at the end is the character lenght not the amount of groups and be careful as this also counts the OU= on which the group is located for example
MyGroup,OU=Security Groups,DC=subdomain,DC=domain,DC=com this is equal to 57 characters if your rule has 50 on it, it will return the could not be evaluated error
try the following in order to evaluate and show AD groups and OKTA groups
Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("active_directory","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("active_directory","",100))
JUST BE CAREFUL if you Array.isEmpty tries to evaluate anything with more than 100 characters it will give you the same evaluation error
Basically the rules for this is, make sure your AD Name and Path doesn't have more than 100 characters, Same for the OKTA Group Name
Forgot to mention so far OKTA doesn't allow more than 100 characters unfortunately 😞