jk86m (jk86m) asked a question.
Pre-defined User attributes based on Group membership?
Hi,
I have a SAML connection setup for an application that requires a specific User attribute that matches up to the user's Office on their end. For example, the "OfficeId" for Office A is X, and the OfficeId for Office B is Y.
Each user is in a group based on their office, and the app requires that I send a User attribute called "OfficeId" that matches up to what the application has stored.
The manual/long way to do this is to add a custom User attribute called "OfficeId", input the required value, and then send it as an attribute as "user.OfficeId"
Is there a way to set that User attribute based on Group membership so that I can pass it in the assertions?
I received an amazing response from support that answers this question, so I'm placing here in case anyone else ever searches for an answer.
This can be accomplished by adding an additional Attribute in the SAML Assertion. You will need to set the name requested by the SP and for the value you can enter the following expression:
The GroupID can be found in the URL when viewing the Group in question in your Okta Admin Console and the Value is the value you need to send in the SAML Assertion if the user is part of that group. If you need more than 2 groups you simply add more "isMemberOfGroup("GroupID") ? "Value"" in the expression.
Example: isMemberOfGroup("GroupID") ? "Value" : isMemberOfGroup("GroupID") ? "Value" : isMemberOfGroup("GroupID") ? "Value" : isMemberOfGroup("GroupID") ? "Value" : null, this will evaluate 4 groups.
Attaching a screenshot for reference.