SuhasM.81827 (Customer) asked a question.
How to pass role attribute in SAML OR ODIC app, based on the role user assumed within app
How to pass role attribute in SAML OR ODIC app, based on the role user assumed within app :
Use case : Once the user is logged into application (ex ABC portal), user can have multiple roles & has ability to switch roles like member, employer, admin, etc.. depending on the Okta groups user is part.
Now users want to SSO to an other app & wants to pass the current role that user is assumed.
Example :
- User logged into app(ex ABC portal) as member & click on the SAML/OIDC app then Okta needs to pass the role attribute as member
- user now switches role to employer & click on the SAML/OIDC app then Okta needs to pass the role attribute as Employer.
QQ's:
- What are the possible options to solve this use case ?
- Can App (ex ABC portal) pass a role attribute as query parameter to Okta ? so that during attribute fulfillment within Okta using the expression language, we verify if user is part of a particular group & allow the user to send that role ?
Hello @SuhasM.81827 (Customer) Thank you for reacting out to our Community!
Depending on the application configuration, this can be done with Attributes or group membership.
However it depends on the application how they treat the roles during authentication. Please see below doc that should provide more details on the setup:
https://support.okta.com/help/s/article/How-to-define-and-configure-a-custom-SAML-attribute-statement?language=en_US
https://support.okta.com/help/s/article/How-to-pass-a-user-s-group-membership-in-a-SAML-Assertion-from-Okta?language=en_US
https://support.okta.com/help/s/article/How-To-Add-Custom-Profile-Attributes-As-Claims-In-a-ID-Token-or-userinfo?language=en_US
https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/
Community members help others by clicking Like or Select as Best on responses. Try it today.