User16729502435924539819 (Customer) asked a question.
We are integrating Okta with AWS Identity Center with configuring user attributes for access control as outline: https://docs.aws.amazon.com/singlesignon/latest/userguide/okta-idp.html*okta-step4
The design is to use group membership to map to a user attribute for including in the SAML assertion.
For example, we have the following groups for our different departments (Engineering, Sales, Marketing). A person can belong to one or more departments.
joe is a member of Engineering
pat is a member if Sales and Marketing
sam is a member of Engineering and Sales
In the SAML assertion
for joe: .../AccessControl:Department = Engineering
for pat: .../AccessControl:Department = Sales,Marketing
for sam: .../AccessControl:Department = Engineering,Sales
Is it possible to concatenate a list of groups from a defined set into a string for use in SAML assertion. I was attempting a user attribute as an implementation but it is not a required step.
String.join(getFilteredGroups({"Engineering", "Sales", "Marketing"}), ",")
Hello @User16729502435924539819 (Customer) Thank you for reacting out to our Community!
This should be achievable using Regex and that should look like this:
Matches regex: .*Sales*.|.*Engineering*.|.*Marketing*.
Community members help others by clicking Like or Select as Best on responses. Try it today.
Okta Identity Engine (OIE) Ask Me Anything: Get answers from product experts by clicking here.
Hi @paul.stiniguta (Okta, Inc.), thank you for your time and answer. I tried something similar in the `Group Attribute Statements (optional)` section. From my understanding is this returns a multi-value collection (array) of groups in the SAML assertion.
Unfortunately, AWS Identity Center only supports single value for the AccessControl element. The mutli-value broke our integration.
Is there a way to join the list with a delimiter that is sent in the SAML assertion?
Hi @User16729502435924539819 (Customer) As far as I am aware that is not possible, but please see a similar question that might provide a solution on this.
Also, if you are using AWS Control Tower, you have the option to create a SCIM application that will add users to groups using Group Push, is is the 3rd step in the doc below:
https://aws.amazon.com/blogs/awsmarketplace/integrating-okta-with-aws-single-sign-on-in-aws-control-tower-environment/
@paul.stiniguta (Okta, Inc.) Unfortunately the blog example is for mapping Okta groups to PermissionsSets. We are already using that feature to determine what role (engineer or manager) people have access to.
What we need is to map a person department to a SAML attribute. Originally I was planning on using groups because it is easy to manage and report for audits.
Do you know if one of these would be an option for an implementation or do you have another recommendation?
User Okta's anything as a source or workflow that uses Okta's groups as a source to update the user profile attribute?
Create a user or application profile element that has a multi-value (checkbox) selection based on predefined (enum) values?
When updating the person, zero or more checkboxes can be selected based on their current departments. I'm not sure how Okta would store the values, but we would need a concatenated list in the saml attribute.
Thanks, Mike