vfaxl (vfaxl) asked a question.
Include group profile attributes in SAML/OIDC claims/assertions
In Okta you can create custom attributes for group profiles. However, if someone is a member of a group with such an attribute, these are not included in claims when they authenticate with okta. There also does not seem to be anyway to refer to these attributes using Okta expression language. The only workarounds I can seem to find are:
- Inline hook: Use a hook to modify assertion/tokens with the group attributes.
- Group rules. Use group rules as a pseudo group attribute. Instead of setting a group attribute, create a rule to add members of that group to another group that represents that attribute. For example, instead of adding an attribute "Y: true" to a group X; create a group rule that makes everyone in X also a member of a new group Y. However, there is a limit of 2000 group rules per Okta org which greatly limits this approach.
Is there no easier way to achieve this?
Hello @vfaxl (vfaxl) Thank you for posting on our Community page!
Please see below a few doc around this topic:
https://support.okta.com/help/s/article/usage-of-group-type-attributes-for-assignments?language=en_US
https://help.okta.com/en-us/content/topics/apps/define-group-attribute-statements.htm
There is limited documentation around this topic, I would also recommend opening a case with Support for additional assistance with this matter.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
The new Okta Help Center YouTube channel is your go-to resource for tips, troubleshooting, and best practice videos. Subscribe today.