<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007k1NpmCAEOkta Classic EngineSingle Sign-OnAnswered2022-06-28T06:30:34.000Z2022-06-23T22:25:08.000Z2022-06-28T06:30:34.000Z

WojciechC.10893 (Customer) asked a question.

June 23, 2022 at 10:25 PM
Multi-value SAML Attribute assertion

Hi!

 

I'm struggling with following issue:

I'm having OKTA as IdP that allows me to login into AWS via AWS Single Sign-On app and later AWS SSO service.

 

My OKTA users can belong to multiple (OKTA) groups and I need User membership in groups value to create ABAC at AWS.

But if/when the regex Group Attribute Statements returns multiple values, the SAML formats it like:

 

<saml:Attribute Name="memberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

    <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">ProjectX</saml:AttributeValue>

    <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">ProjectY</saml:AttributeValue>

    <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">ProjectZ</saml:AttributeValue>

</saml:Attribute>

 

Such format is not supported by AWS implementation of SAML as it has to get single value, like:

 

<saml2:Attribute Name="memberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

     <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ProjectX,ProjectY,ProjectZ</saml2:AttributeValue>

</saml2:Attribute>

 

Does anyone know how the format can be changed? Should I use some tweaked regex? OR instead of Group Attribute, is there a way to do it over User attributes with OEL?

 

Thanks in advance for any piece of advice.

W.

  • 2 answers
  • 1.11K views

  • flaviu.vrinceanu1.5628408972654734E12 (Customer Success Service Delivery)

    Hi @WojciechC.10893 (Customer)​,

     

    Thank you for posting on the Okta community page!

     

    I have done some research but I wasn't able to find a way to change the format, therefore I would recommend to submit a feature request.

     

    Once feature requests are submitted they are visible to other Okta admins, who can vote on them to provide more visibility. Using this method will allow you to maintain visibility on your feature requests throughout the process.

    Expand Post

  • WojciechC.10893 (Customer)

    Hey,

     

    Thanks for an answer. How can I report a feature request?

     

    Cheers.

    W.

This question is closed.
Loading
Multi-value SAML Attribute assertion