<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008YhQvCCAVOkta Classic EngineSingle Sign-OnAnswered2024-04-17T12:56:31.000Z2022-12-22T19:27:06.000Z2023-01-03T15:00:07.000Z

q3l5r (q3l5r) asked a question.

December 22, 2022 at 7:27 PM
How to map custom group names from Identity Provider to Okta's group?

Hey There,

 

We have a single app and we have different groups for the different customers. Also, we manage roles based on group membership. We are in process of implementing SSO for the customers. For that we have to allow full sync of groups so our customers can manage user roles from their AD.

 

For Example:

CompanyA is our and CompanyB and CompanyC are customers.

 

We have groups name like (CompanyB, CompanyC) where we put those users respectively.

 

Now we want to allow them to manage their own users using SSO Identity Provider ( SAML ), so we have to allow the full-sync-of groups using JIT settings. However, the group names might be different in their Active Directory.

 

For example:

We named all the user of CompanyB to "CompanyB" but they might have different group name in their Active Directory like "ExternalProductAccessGroup".

 

So how can we sync groups from CompanyB AD's group name - "External Product Access Group" -> our "CompanyB" group?

  • 4 answers
  • 695 views

  • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

    Hello @q3l5r (q3l5r)​ Thank you for reacting out to our Community!

     

    The best option for this would be to use Group rules, so that Users from a specific Group will be moved to a different group.

    for example users from group "External Product Access Group" will be moved to group "CompanyB"

    Please see https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-group-rules.htm

     

    The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.

    Community members help others by clicking Upvote or Select as Best on responses. Try it today.

    Expand Post
    Selected as Best

  • q3l5r (q3l5r)

    Hey @paul.stiniguta1.508386743840768E12 (Okta, Inc.)​ 

     

    I have tried solutions with Group rules. However, it's not doing the full sync of users.

     

    It's moving the user from "External Product Access Group" to group "CompanyB" but it's not doing the reverse.

     

    For example: Once we add a user to "External Product Access Group" it's added and also syncs with "Company B". I'm also able to remove the user from "External Product Access Group" and it's removed from "Company B" as well. However, removing the user from the group where Group Rule is kind of ignoring that user from any future sync considering manual removal.

     

    Is there any solution for that?

    Expand Post

  • q3l5r (q3l5r)

    Can you please explain what you mean by "add-ing another rule the other way around" ?

This question is closed.
Loading
How to map custom group names from Identity Provider to Okta's group?