<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007ggNxVCAUOkta Classic EngineIntegrationsAnswered2026-06-03T18:57:57.000Z2022-05-31T14:15:52.000Z2026-06-03T18:57:57.000Z

l8y4y (l8y4y) asked a question.

May 31, 2022 at 2:15 PM
Mapping AD groups to custom app roles

We currently pass through AD groups in the SAML to external applications using the Group Attribute statement. However we now have an app where mapping is needed. App is assigned in Okta via several AD groups and each group maps to a role in the vendor application. Vendor states they cannot do the mapping on their side. So I need something like this where AD group maps to a specific role value. We cannot name the AD groups to the same value as the roles needed in the app due to their generic nature (ie. 'Admin')

ADGroup1 > Admin

ADGroup2 > Viewer

ADGroup3 > Member

etc.

 

Is such happing possible in Okta? Thank you

  • 3 answers
  • 1.15K views

  • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

    Hello @l8y4y (l8y4y)​  Thank you for reaching our to our Community!

     

    This should be possible, depending on how the application is configured.

    If the application is from our Catalog and it has Provisioning Options you can select the required Role when assigning the group to the application, see screenshot below:

    Screenshot 2022-06-01 at 10.54.52If this is a Custom SAML application, this should be achievable through Group Attribute Statements, part from the configuration part.

     

    Hope this helps!

    Expand Post
    Selected as Best

  • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

    Hello @l8y4y (l8y4y)​  Thank you for reaching our to our Community!

     

    This should be possible, depending on how the application is configured.

    If the application is from our Catalog and it has Provisioning Options you can select the required Role when assigning the group to the application, see screenshot below:

    Screenshot 2022-06-01 at 10.54.52If this is a Custom SAML application, this should be achievable through Group Attribute Statements, part from the configuration part.

     

    Hope this helps!

    Expand Post
    Selected as Best

  • l8y4y (l8y4y)

    Thanks. Unfortunately this is not an app from the OIN, it's a custom SAML config and is not configured for provisioning from Okta. App vendor wants specific role values to be passed in a SAML attribute 'Role' and the role values are derived from AD group name. It is looking like the app security admins may need to assign the roles manually after users are created at first login. Vendor recommends this approach but our client asked that we check to see if it was possible to automate. Appreciate the reply.

    Expand Post

  • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

    Hello @l8y4y (l8y4y)​  In this case you can use Group Statement Attribute to have this configured and based on membership you should provide the required Roles within the application, however for this I would recommend to work with the app developers for the required information.

This question is closed.
Loading
Mapping AD groups to custom app roles