l8y4y (l8y4y) asked a question.
Mapping AD groups to custom app roles
We currently pass through AD groups in the SAML to external applications using the Group Attribute statement. However we now have an app where mapping is needed. App is assigned in Okta via several AD groups and each group maps to a role in the vendor application. Vendor states they cannot do the mapping on their side. So I need something like this where AD group maps to a specific role value. We cannot name the AD groups to the same value as the roles needed in the app due to their generic nature (ie. 'Admin')
ADGroup1 > Admin
ADGroup2 > Viewer
ADGroup3 > Member
etc.
Is such happing possible in Okta? Thank you
Hello @l8y4y (l8y4y) Thank you for reaching our to our Community!
This should be possible, depending on how the application is configured.
If the application is from our Catalog and it has Provisioning Options you can select the required Role when assigning the group to the application, see screenshot below:
Hope this helps!
Thanks. Unfortunately this is not an app from the OIN, it's a custom SAML config and is not configured for provisioning from Okta. App vendor wants specific role values to be passed in a SAML attribute 'Role' and the role values are derived from AD group name. It is looking like the app security admins may need to assign the roles manually after users are created at first login. Vendor recommends this approach but our client asked that we check to see if it was possible to automate. Appreciate the reply.
Hello @l8y4y (l8y4y) In this case you can use Group Statement Attribute to have this configured and based on membership you should provide the required Roles within the application, however for this I would recommend to work with the app developers for the required information.