<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000AFr94tCQBOkta Classic EngineSingle Sign-OnAnswered2024-09-27T14:38:52.000Z2024-09-24T13:35:30.000Z2024-09-27T14:38:52.000Z

FlorijnB.50107 (Customer) asked a question.

September 24, 2024 at 1:35 PM
Use Groups claim expression to map group names

Hi,

 

I was wondering if it is possible to use the Groups claim expression (Sign on -> OpenId Connect ID Token -> use "Expression" as Groups claim type) to map the names of groups that the user is member of.

 

Example:

If a user is a member of group "A", the token should include claims "abc" and "xyz" in the groups claim, and if he is a member of group "B" as well, claim "def" should also be added to the groups claim.

 

What I tried:

I have tried this with using ternary expressions, but no claim value was passed through. Is it possible to use ternary expressions in the Groups claim expression?

 

So far I tried Groups.contains("appId", "B", 100) ? "abc" : "def", and other group functions described at Okta Expression Language overview guide | Okta Developer. I also tried combining this with Arrays methods as shown at https://support.okta.com/help/s/article/How-to-Write-a-Groups-Claim-Expression-that-Will-Match-Against-Two-Differently-Named-Groups?language=en_US. However, in all cases no claim value was passed through.

  • 2 answers
  • 483 views

  • FlorijnB.50107 (Customer)

    Thank you very much for your answer, @Mihai Negoita - Okta (Okta, Inc.)​! This helped me to set up the mapping I wanted.

     

    My final mapping is:

    Arrays.flatten(

    Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("appVariableName","B",100))) ? {} : {"def"}, 

    Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("appVariableName","A",100))) ? {} : {"abc", "xyz"}

    )

    Expand Post
    Selected as Best

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @FlorijnB.50107 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    You will need to make sure you are referencing the proper app for your use case. 

    For example in my environment I have multiple Salesforce apps, so I will need to check the variable name for the specific app instance I want to use. You can get the info by going to the Okta Admin Dashboard → Directory → Profile Editor. 

    Pasted 

    So based on this, the expression would look like 

     

    Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("salesforce_37fug09","GroupA",100))) ?

    Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("salesforce_37fug09","GroupB",100))) ? {} : Groups.startsWith("salesforce_37fug09","GroupB",100) :

    Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("salesforce_37fug09","GroupB",100))) ? Groups.startsWith("salesforce_37fug09","GroupA",100) :

    Arrays.flatten(Groups.startsWith("salesforce_37fug09","GroupB",100),Groups.startsWith("salesforce_37fug09","GroupA",100))

     

     

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post

  • FlorijnB.50107 (Customer)

    Thank you very much for your answer, @Mihai Negoita - Okta (Okta, Inc.)​! This helped me to set up the mapping I wanted.

     

    My final mapping is:

    Arrays.flatten(

    Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("appVariableName","B",100))) ? {} : {"def"}, 

    Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("appVariableName","A",100))) ? {} : {"abc", "xyz"}

    )

    Expand Post
    Selected as Best
This question is closed.
Loading
Use Groups claim expression to map group names