PaulF.95083 (Customer) asked a question.
Hello all.
Quite simply, because my application requires a single line, separated by commas, for group membership, in the SAML assertion, such as :
<saml:Attribute FriendlyName="groups/tags" Name="groups">
<saml:AttributeValue>tag1, tag2, tag3, etc</saml:AttributeValue>
</saml:Attribute>
This is without knowing the underlying group names
String.join(",", ismemberOfgroupName(*))
String.join(",")
String.join(",", isMemberOfGroupName("Everyone") ? 'Everyone' : '', isMemberOfGroupName("SMUserAuth") ? 'SMUserAuth' : '')
String.join(",", isMemberOfGroupName("Everyone") ? 'Everyone' : '', isMemberOfGroupName("SMUserAuth") ? 'Group' : '')
None of the above works
name: groups / name format: basic / filter: matches regex .* DOES bring back the groups, but as different keys:
<saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Everyone</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SomeOtherGroup</saml2:AttributeValue>
</saml2:Attribute>
So, what expression do I need to plug into the filter to combine the group names into a comma separated string
Thanks in advance
I would consider managing a custom attribute via workflows, and then appending that custom attribute to your SAML configuration. Having a couple of workflows triggered off group events that manage the attribute when users are added/removed may be the easiest route here.
@NiallM.34104 (Atlas Identity)
Firstly, don't, for one second, think that I haven't considered your answer fully. I appreciate the suggestion immensely, given how long I've spent on this so far!
However, having looked at this again today with fresh eyes (and gotten a full night's sleep), I actually believe that there's a much easier solution
This is based off the assumption that in the groups attribute statement, that if I use .* as the REGEX, it brings back an array of groups
If that is so, then, quite simply, according to https://developer.okta.com/docs/reference/okta-expression-language/#string-functions, namely Arrays.toCsvString(array), I should be able to use:
Arrays.toCsvString(.*)
Even if I use the cited example of:
Arrays.toCsvString({"This", "is", " a ", "test"})
It still refuses to bring back anything in the Preview
I'll spend another day on this, then probably, and sadly, admit defeat and go down the more complex (well, more complex that a simple REGEX statement) workflow route...
Whatever works, Paul 🙂 My approach is just a suggested approach. I'm not in any way precious if it's not your preferred route. Let me spend 15 mins in a prod tenant to check out your suggestion. I *hate* regex mostly because I flat out don't understand it and never took the time to dig into it.
This link shows your approach should be doable. It's a slightly different use case, but takes the same approach of returning the Array based on the Group filter, and then converting to a comma sep string. So it looks like it should work, and if it doesn't I'd raise a ticket.
https://support.okta.com/help/s/article/How-to-Write-a-Groups-Claim-Expression-that-Will-Match-Against-Two-Differently-Named-Groups?language=en_US
If I get time I'll have a play around with that as well and confirm results
Firstly, raised a ticket two days ago an answered yesterday with two articles suggested I look at the regex document.
Had a look at your suggested document. Didn't work, so I started to deconstruct.
Even the most Simplistic of tests, using
Groups.startsWith("OKTA","SM",100)
Where SM is the group prefix, doesn't work
(just in case I've wildly misunderstood where I should be doing this)
Ah. OK. I'm winging it here because I've never had to achieve the same result, but I would be adding it in the standard attributes section and calling the attribute 'groups/tags' which was in your first post. The groups selection only allows the fixed dropdowns so IMO you can't apply expression language in there. See screenshot below. Especially because it appears you want the claim to have a custom name.
I know getFilteredGroups doesn't work for you because you don't know the groups ahead of time but I grabbed it as it does return a comma separated list of group names which is what you want and sticks it in a claim called groups.
If it wasn't clear from the above, the matches regex expects just a regex. Not EL with a regex in it.
Understood. I really appreciate the effort that you've put into this. Thanks @NiallM.34104 (Atlas Identity) !