Pravin KumarM.32372 (Customer) asked a question.
Hi,
I trying to convert multiple global groups into a string format. Currently when I use this formula on global group attribute statement.
Matches regex ^G_CKT2.*||.*G_KX.*
I can see SAML return this as below.
<saml2:Attribute Name="Global_Groups__c"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">G_KX_UNIVERSE_ORG</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">G_CKT2_SATURN_ORG</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">G_KX_NEW_GROUP_USER</saml2:AttributeValue>
</saml2:Attribute>
but my required value should be in this format
<saml:AttributeValue xsi:type="xs:string">g_ckt2_saturn_org,g_kx_universe_org,g_kx_new_group </saml:AttributeValue>
</saml:Attribute>
Can anyone please let me know if you have face such issue. I did try with Match Regex but its not working.
Thanks
Hi @Pravin KumarM.32372 (Customer) , Thank you for reaching out to the Okta Community!
Short answer: This is not supported.
Long answer:
The "Group Attribute Statement" will provide one line per group that matches the regex (as in your example).
If you decide to use an "Additional Attribute Statement" instead, you might be able to leverage the Okta Expression Language for complex syntaxes, but the default group functions only return arrays or boolean.
https://developer.okta.com/docs/reference/okta-expression-language/#group-functions
The closest thing I could find is this,
https://support.okta.com/help/s/question/0D50Z00008G7UwmSAF/okta-expression-language-join-strings-based-on-multiple-group-memberships?language=en_US
but it's in no way dynamic, implying that you have to make a list of all of the groups involved (+get their IDs) and it does not actually cover situations where the user might not be part of some of the groups.
I was discussing this use case with a friend and he suggested Okta Workflows, but that opens up a whole other can of worms 🙂 ...
With Workflows you can technically do it since you can call the Okta API, get a JSON with a user's groups, then make a call to write to an attribute on the user's profile with that value. So in theory it's doable, but it's a question of how much work and time (maybe even money) do you want to invest into just passing those values to the down-stream app.
More info on Okta Workflows can be found here:
https://www.okta.com/platform/workflows/
Have a great rest of the day!