<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00009ZUw04CADOkta Classic EngineSingle Sign-OnAnswered2023-10-18T15:31:50.000Z2023-08-18T23:07:07.000Z2023-10-18T15:31:49.000Z

User16639620876595713400 (Customer) asked a question.

August 18, 2023 at 11:07 PM
SAML Custom Claim that uses only Part of GROUP name

Hello,

I'm trying to make a SAML Custom Claim that will be used as a Display Name Tag for the app this allows access to for users.

I have figured this out on AZURE SAML, but for OKTA SAML I cannot find how do to the same task.

 

Basically, we have several AD Groups formated as

BTRS: Group Name Tag

 

In the App, we have a Display Name field were we have setup the Claims as

{DName} - {Name}

 

So if we have the following users:

Sam Banton

Sara Underhill

Joe Harrington

 

And groups:

BTRS: Group 1

BTRS: Better Group 2

 

If Sam and Joe are in Group 1, and Sarah is in Group 2

The results for the In App display name should be:

Group 1 - Sam Banton

Group 1 - Joe Harrington

Group 2 - Sara Underhill

 

Right now, this works in AZURE as intended with a Regex Pattern, and a separate Regex Replacement Pattern.

Regex Pattern: BTRS: (?<DName>.*)

REgex Replacement Pattern: {DName}

 

Is there a way to do an equivalent setup in OKTA SAML setup?

I've been going through the documentation on this along with reviewing forums; however, I am not finding an answer to this.

Any guidance would be of great help. =)

  • 5 answers
  • 727 views

  • Mihai N. (Okta, Inc.)

    Hi @User16639620876595713400 (Customer)​ , Thank you for reaching out to the Okta Community!

     

    If I'm understanding your use case correctly, you are trying to pass a custom attribute value to a downstream app via SAML assertion based on the user's group membership.  

    You might be able to achieve this with the Okta Expression Language using custom syntax.  

     

    Using the examples you gave, you can set up something like this:  

     

    isMemberOfGroupName("BTRS: Group 1") ? "Group 1 - " + user.firstName + " " + user.lastName : isMemberOfGroupName("BTRS: Better Group 2") ? "Group 2 - " + user.firstName + " " + user.lastName : null

    Pasted 

     

     

    *explanation of how the syntax works:  

     

    -evaluate the user's membership,  

    IF they are a member of the group called "BTRS: Group 1"  

    THEN (?)

    send value "Group 1 - " and append the user's first name, a space (" ") and the user's last name 

    OTHERWISE (:) 

    IF they are a member of the group called "BTRS: Better Group 2"  

    THEN (?)

    send value "Group 2 - " and append the user's first name, a space (" ") and the user's last name 

    OTHERWISE (:)

    send null value. 

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

    --------------------------------

    Okta Identity Engine (OIE) Ask Me Anything: Get answers from product experts by clicking here.

    Expand Post
    Selected as Best

  • Mihai N. (Okta, Inc.)

    Hi @User16639620876595713400 (Customer)​ , Thank you for reaching out to the Okta Community!

     

    If I'm understanding your use case correctly, you are trying to pass a custom attribute value to a downstream app via SAML assertion based on the user's group membership.  

    You might be able to achieve this with the Okta Expression Language using custom syntax.  

     

    Using the examples you gave, you can set up something like this:  

     

    isMemberOfGroupName("BTRS: Group 1") ? "Group 1 - " + user.firstName + " " + user.lastName : isMemberOfGroupName("BTRS: Better Group 2") ? "Group 2 - " + user.firstName + " " + user.lastName : null

    Pasted 

     

     

    *explanation of how the syntax works:  

     

    -evaluate the user's membership,  

    IF they are a member of the group called "BTRS: Group 1"  

    THEN (?)

    send value "Group 1 - " and append the user's first name, a space (" ") and the user's last name 

    OTHERWISE (:) 

    IF they are a member of the group called "BTRS: Better Group 2"  

    THEN (?)

    send value "Group 2 - " and append the user's first name, a space (" ") and the user's last name 

    OTHERWISE (:)

    send null value. 

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

    --------------------------------

    Okta Identity Engine (OIE) Ask Me Anything: Get answers from product experts by clicking here.

    Expand Post
    Selected as Best

  • User16639620876595713400 (Customer)

    I'll test this, but my issue with this is that this because extremely burdensome if I have to type the fully qualified name of each and every group that we will be creating.

    We have about 15-20 groups to create, and this is not a good solution.

     

    Is there no way to emulate the very simplied Regex setup we have in Azure so that the Group Name sent over to the app is striped of the Prefix?

    *Note, in your example, we already have the Full Name as it's own Custom Claim, but good to know it can be included in Display Name Claim we want to create.

     

    The only groups assigned to access for this SAML setup will be specific for this app, and all use the same Prefix (Note, there is 1 SPACE added after the COLON.)

    BTRS:

    Expand Post

    • Mihai N. (Okta, Inc.)

      Understandable. Scaling is indeed an issue. 

       I've been looking further into this and as far as I've been able to confirm there's no solution that's more scalable as this time.  

      The "Group Attribute Statements (optional)" fields where the use of regex is permitted, is limited to matching against a patterns and they do not allow for functions such as replace

      The "Attribute Statements (optional)" fields allow the use of the String.replace function but there is no function to pull the user groups. the existing Group functions return just boolean (true/false) responses, so I could not get the groups to replace the strings in them.  

       

      All this being said, we'll leave the question open for the Community, in case someone came up with a better solution for this use case.  

       

      When you have the time, you might also consider suggesting a Feature Enhancement for this use case on the Okta Community page by going to the Community→ Ideas tab. Features suggested in our community are reviewed and can be voted and commented on by other members. High popularity will increase the likelihood of it being picked up by the Product Team and it being implemented. 

      More details here.

       

      Regards

      --------------------------------

      Okta Identity Engine (OIE) Ask Me Anything: Get answers from product experts by clicking here.

      Expand Post

      • User16639620876595713400 (Customer)

        I've Tested your original expression with 1 group (since that's all the Admin has setup for testing right now) and minus the Name expression (In order to save character space)

        And it does work as intended. 😎

        My only concern is the Scalability, but I've presented what works to the Admin right now for their feedback. We may go with this if this is the only option that works.

         

        isMemberOfGroupName("BTRS: group1") ? "group1" : null

         

        I'm interested in the Regex option though.

        I have this expression, and from what I understand, it's still a search for groups which seems to work as intended; however, I can't seem to get it to display the Captured info.

        Is this option not supported specifically, or do I have a syntax error?

         

        isMemberOfGroupNameRegex("BTRS: (?<DName>.*)") ? "{DName}" : null

         

        Expand Post

      • Mihai N. (Okta, Inc.)

        Sorry for not being clear enough. Allow me to rephrase.  

        The regex option in the Group Attribute Assertion fields is a filter and is only meant to find groups based on a more complex requirement if the basic ones ("Starts with", "Equals", "Contains") do not meet your requirement. 

         

         

        Expand Post
This question is closed.
Loading
SAML Custom Claim that uses only Part of GROUP name