<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D54z00009ZzPcUCAVOkta Classic EngineSingle Sign-OnAnswered2023-08-21T19:52:18.000Z2023-08-18T18:19:13.000Z2023-08-21T19:52:18.000Z
How to concatenate group names a user is a member into user/app profile attribute

We are integrating Okta with AWS Identity Center with configuring user attributes for access control as outline: https://docs.aws.amazon.com/singlesignon/latest/userguide/okta-idp.html*okta-step4

 

The design is to use group membership to map to a user attribute for including in the SAML assertion.

 

For example, we have the following groups for our different departments (Engineering, Sales, Marketing). A person can belong to one or more departments.

 

joe is a member of Engineering

pat is a member if Sales and Marketing

sam is a member of Engineering and Sales

 

In the SAML assertion

for joe: .../AccessControl:Department = Engineering

for pat: .../AccessControl:Department = Sales,Marketing

for sam: .../AccessControl:Department = Engineering,Sales

 

Is it possible to concatenate a list of groups from a defined set into a string for use in SAML assertion. I was attempting a user attribute as an implementation but it is not a required step.

 

String.join(getFilteredGroups({"Engineering", "Sales", "Marketing"}), ",")


  • @paul.stiniguta (Okta, Inc.)​ Unfortunately the blog example is for mapping Okta groups to PermissionsSets. We are already using that feature to determine what role (engineer or manager) people have access to.

     

    What we need is to map a person department to a SAML attribute. Originally I was planning on using groups because it is easy to manage and report for audits.

     

    Do you know if one of these would be an option for an implementation or do you have another recommendation?

     

    User Okta's anything as a source or workflow that uses Okta's groups as a source to update the user profile attribute?

     

    Create a user or application profile element that has a multi-value (checkbox) selection based on predefined (enum) values?

    When updating the person, zero or more checkboxes can be selected based on their current departments. I'm not sure how Okta would store the values, but we would need a concatenated list in the saml attribute.

     

    Thanks, Mike

    Expand Post
This question is closed.
Loading
How to concatenate group names a user is a member into user/app profile attribute