SimonM.78301 (Customer) asked a question.
We are migrating from a legacy SAML Federation setup to Okta as the new SAML IdP.
I am trying to use an Expression to filter and transform the names of AD Groups assigned to a User to a backwards compatible format required by the vendor in a 'roles' attribute, and have been following the following documentation / guides:
https://developer.okta.com/docs/reference/okta-expression-language/*group-functions
From what I can make out, the process is to do this:
- In the Profile Editor: locate User Profile for Application and add Custom Attribute 'Roles' with type String Array
- In the Mappings for the Application's User Profile, under 'Okta to <Application>' tab: enter an Expression to locate desired AD sourced Groups and transform to the new Format, on the App's Custom 'Roles' attribute.
- In the SAML Integration setup for the Application: add the Group Attribute Statement 'roles' with Filter Equals 'appuser.Roles'
Step 2's Expression is what I am having problems with. I'm thinking I need something like:
(note only 1 'role' is accepted by the SP, and there'll be no more than 10 AD Groups following the "ROL APP" naming convention)
getFilteredGroups({Groups.startsWith("active_directory", "ROL APP", 10)}, "group.name", 1) : String.replace(" ", "_") ? null
i.e. locate any Active Directory Groups assigned to the user that start with "ROL APP", and replace spaces with underscores or return null.
The Groups.startsWith() function as first parameter for getFilteredGroups() is what I am having trouble with, when previewing a User in the Profile Editor's Mappings screen (Okta -> App):
- Groups.startsWith("active_directory", "ROL APP", 10) - results in "Unable to resolve Groups in expression" error, so assume use of the Groups prefix is invalid in the context of a Profile Mapping
- startsWith("active_directory", "ROL APP", 10) - results in "Error in evaluating expression" error, I think this is the closest I've gotten to a referencing the startsWith() functionstatement, but am getting the parameters wrong somewhere
- startsWith("active_directory", "ROL APP") - results in "Parameter mismatch - expected 3 but found 2 args" error, so startsWith() is recognised, it just the number of parameters I have are invalid.
Does anyone have an example of an expression that can be used to transform the names of AD Groups assigned to a User in order to pass in a SAML Attribute
Hi Simon,
I believe the article below might provide the required information, please see below
https://support.okta.com/help/s/article/How-to-pass-a-group-name-with-a-prefix-in-the-SAML-assertion?language=en_US
Please note that copying the expression from the documentation attached, the quotation marks are not recognized by the expression, hence we recommend to manually add them and then test the expression.
If this does not help, please open a case with Support so we can work on this together.
Thank you
@SimonM.78301 (Customer) the error you are getting in the expresion is because of the #10 that doesnt mean 10 groups it means the lenght of the characters group allowed, set that at 100, just be carefull if the group name with the OU location exceeds 100 characters you will get the same Error in evaluation expression
also try to use something like
Groups.startsWith("active_directory","ROL_APP",100)
Regards
Simon,
Did you ever find a solution for this?
I would find this functionality super helpful as well.