Passing SAML custom attributes from Incoming assertion to outgoing assertion

Loading

Skip to Navigation Skip to Main Content

Search

Search

Select Language

0D54z00009ebRHvCAMOkta Classic EngineSingle Sign-OnAnswered2023-10-18T15:34:48.000Z2023-09-11T19:19:16.000Z2023-10-18T15:34:48.000Z

BillS.23320 (Customer) asked a question.

September 11, 2023 at 7:19 PM

Passing SAML custom attributes from Incoming assertion to outgoing assertion

We are in the process of replacing our home grown SAML processor with Okta. It currently is only IDP initiated flow. What we plan to do is have the SAML assertion from the client go to Okta. It is then redirected to an Okta SAML Application which will redirect to our site. We have that part figured out.

The client had the ability to send some bits of data using custom SAML attributes. Is there a way to forward those attributes from the incoming SAML assertion into Okta to the outgoing assertion from Okta to our app?

Thank you.

Single Sign-On

Top Rated Answers

paul.stiniguta1.508386743840768E12 (Okta, Inc.)
3 years ago
Hello @BillS.23320 (Customer) Thank you for reacting out to our Community!

This should be possible, but the IDP setup needs to done as a Profile master and the attributes need to be mapped from the IDP into the user profile, then you can add additional attributes to the SAML application to be passed along.
Please see our docs below:
https://support.okta.com/help/s/article/Mappings-for-IdP-to-Okta-do-not-Have-Option-for-Create-and-Update?language=en_US
https://help.okta.com/en-us/content/topics/security/idp-config-ud-mappings.htm
https://support.okta.com/help/s/article/How-to-define-and-configure-a-custom-SAML-attribute-statement?language=en_US

Community members help others by clicking Like or Select as Best on responses. Try it today.
Follow us at OktaSupport
Expand Post
Selected as Best

All Answers

paul.stiniguta1.508386743840768E12 (Okta, Inc.)
3 years ago
Hello @BillS.23320 (Customer) Thank you for reacting out to our Community!

This should be possible, but the IDP setup needs to done as a Profile master and the attributes need to be mapped from the IDP into the user profile, then you can add additional attributes to the SAML application to be passed along.
Please see our docs below:
https://support.okta.com/help/s/article/Mappings-for-IdP-to-Okta-do-not-Have-Option-for-Create-and-Update?language=en_US
https://help.okta.com/en-us/content/topics/security/idp-config-ud-mappings.htm
https://support.okta.com/help/s/article/How-to-define-and-configure-a-custom-SAML-attribute-statement?language=en_US

Community members help others by clicking Like or Select as Best on responses. Try it today.
Follow us at OktaSupport
Expand Post
Selected as Best
- BillS.23320 (Customer)
  3 years ago
  Thank you for getting back to me. Follow up to this. Sometimes this custom attribute is included and sometimes it isn't. When the custom attribute is not included on the SAML Assertion to Okta, I need the value that was set in the user from the last time it had a value to be cleared. Is there a way to do that? So far, if I don't include the custom attribute, the value in the user profile is still set from the last time it was set.
  Expand Post
  - BillS.23320 (Customer)
    3 years ago
    I submitted a ticket for my follow up question. Okta has a feature flag that they can enable internally to do this.
    Expand Post

This question is closed.

Recommended content

Forum

Copying SAML attributes from request to assertion

Forum

Unable to validate incoming SAML Assertion

Forum

failure : Unable to validate incoming SAML Assertion

Forum

Forwarding custom attributes to SAML response

Loading

Passing SAML custom attributes from Incoming assertion to outgoing assertion