User16019742705515795150 (Customer) asked a question.
Local attribute passing in the SAML statements
I have created an application-level (Local app) string array attribute. I assigned the application to the groups by selecting values from the string array and then added the below statement to the attribute statement.
isMemberOfGroup("00gg56wpf3Vxr6Ujd5d6") ? appuser.Administrator : Null && isMemberOfGroup("00g7noy7r6STyxkMp5d5") ? appuser.Analytics_User1 : Null && isMemberOfGroup("00g3wcerxmMG9sJBL5d7") ? appuser.Back_Office_User : Null
I am getting the values from the first group in the assertion but not from the second and third groups. I have tried different ways but no luck. Am I missing something in the statement?
Thank you for the help
Hi @User16019742705515795150 (Customer) , Thank you for reaching out to the Okta Community!
I'm not sure I understand what you are trying to achieve.
Looking at the syntax provided, I can see that the information is conflicting as it translates to the following:
IF user is member of GroupA THEN add value for appuser.Administrator OTHERWISE null
AND
IF user is member of GroupB THEN add value for appuser.Analytics_User1 OTHERWISE null
AND
IF user is member of GroupC THEN add value for appuser.Back_Office_User OTHERWISE null
Assuming you want to do some sort of role assignment based on the user's membership to a particular group, the syntax would look something like this:
isMemberOfGroup("00gg56wpf3Vxr6Ujd5d6") ? appuser.Administrator : isMemberOfGroup("00g7noy7r6STyxkMp5d5") ? appuser.Analytics_User1 : isMemberOfGroup("00g3wcerxmMG9sJBL5d7") ? appuser.Back_Office_User : Null
Which translates to:
IF user is member of GroupA THEN add value for appuser.Administrator OTHERWISE
IF user is member of GroupB THEN add value for appuser.Analytics_User1 OTHERWISE
IF user is member of GroupC THEN add value for appuser.Back_Office_User OTHERWISE null
⚠️ *That being said, the title of this question references passing this attribute value in the SAML assertion, which implies that the flow would be from Okta to the downstream app.
In this case you cannot use "appuser" as the values have to be pulled from something in the Okta user profile not the app profile.
You need to create the custom attribute for the Okta profile and populate it with the expected values:
https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-add-custom-user-attributes.htm
Then you can use the syntax I've provided above but just substitute "appuser.Administrator" with "user.Administrator" and so on.
⚠️ **If for example the values are static for each role or you don't need the attribute values in the Okta profile for anything else, you can just skip the custom attribute creation and just pass the desired string values.
Example:
isMemberOfGroup("00gg56wpf3Vxr6Ujd5d6") ? "Administrator" : isMemberOfGroup("00g7noy7r6STyxkMp5d5") ? "Analytics_User1" : isMemberOfGroup("00g3wcerxmMG9sJBL5d7") ? "Back_Office_User" : Null
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Community members help others by clicking Like or Select as Best on responses. Try it today.