<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007yddfhCAAOkta Classic EngineSingle Sign-OnAnswered2024-03-25T11:35:42.000Z2022-08-23T20:22:08.000Z2022-08-24T19:01:09.000Z

wd62p (wd62p) asked a question.

August 23, 2022 at 8:22 PM
Pass attributes to SAML integrated application based on group membership

I have created a custom SAML integration in Okta Classic and I would like to pass values to the application based on group membership.

 

For example, if I assign the group named "Group-Admins" to the application, I want to pass across a value of "admin" in the SAML response for all users that are a member of that group. The value doesn't matter, but it will be different to the group name.

 

To be clear, I do NOT want to pass the group name itself using group attributes.

 

I am effectively looking for the Okta equivalent of App Roles in Azure: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

 

Is this possible with Okta Classic?

 

Thanks

  • 1 answer
  • 1.16K views

  • Mihai N. (Okta, Inc.)

    Hi @wd62p (wd62p)​ , Thank you for reaching out to the Okta Community!

     

    You'll need to set up a custom expression (Okta Expression Language) under the app's Attributes Statements using conditional expressions and the isMemberOfGroup or isMemberOfGroupName functions. 

     

    Examples: 

     

    isMemberOfGroup("00gpredactedkPfi0x7") ? "Admin" : isMemberOfGroup("00gpredactedJKJSx0x7") ? "User" : isMemberOfGroup("00gpredacted10x7") ? "SuperAdmin" : null

     

    OR

     

    isMemberOfGroupName("Role_Admin") ? "Admin" : isMemberOfGroupName("Role_User") ? "User" : isMemberOfGroupName("Role_SUPER_Admin") ? "SuperAdmin" : null

     

    Where the above translates to: 

     

    IF user is member of "Role_Admin" THEN send value "Admin" OTHERWISE IF user is member of "Role_User" THEN send value "User" OTHERWISE IF user is member of "Role_SUPER_Admin" THEN send value "SuperAdmin" OTHERWISE send null 

     

    Pasted Graphic 

     

    The syntax can be expanded or reduced as needed. 

     

     

    Okta Expression Language reference documentation can be found here:

    https://developer.okta.com/docs/reference/okta-expression-language/#group-functions

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

    --------------------------------

    The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.

    Expand Post
This question is closed.
Loading
Pass attributes to SAML integrated application based on group membership