q3l5r (q3l5r) asked a question.
Hey There,
We have a single app and we have different groups for the different customers. Also, we manage roles based on group membership. We are in process of implementing SSO for the customers. For that we have to allow full sync of groups so our customers can manage user roles from their AD.
For Example:
CompanyA is our and CompanyB and CompanyC are customers.
We have groups name like (CompanyB, CompanyC) where we put those users respectively.
Now we want to allow them to manage their own users using SSO Identity Provider ( SAML ), so we have to allow the full-sync-of groups using JIT settings. However, the group names might be different in their Active Directory.
For example:
We named all the user of CompanyB to "CompanyB" but they might have different group name in their Active Directory like "ExternalProductAccessGroup".
So how can we sync groups from CompanyB AD's group name - "External Product Access Group" -> our "CompanyB" group?
Hello @q3l5r (q3l5r) Thank you for reacting out to our Community!
The best option for this would be to use Group rules, so that Users from a specific Group will be moved to a different group.
for example users from group "External Product Access Group" will be moved to group "CompanyB"
Please see https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-group-rules.htm
The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.
Community members help others by clicking Upvote or Select as Best on responses. Try it today.