Need last 6 characters of a security group name as part df saml assertion in an attribute

Loading

Skip to Navigation Skip to Main Content

Search

Search

Select Language

0D5WR00001Q0w330ABOkta Classic EngineAuthenticationAnswered2026-03-31T17:40:58.000Z2026-03-11T07:48:44.000Z2026-03-31T17:40:58.000Z

RajeshD.00986 (Customer) asked a question.

March 11, 2026 at 7:48 AM

Need last 6 characters of a security group name as part df saml assertion in an attribute

Hi team , we have a requirement to send last 6 characters of the security group as part of saml authentication.

ex: wwwww-ddd-345678 , we need to extract and send only 345678 as part of saml assertion. It shoul dbe dynamic like wht group he belongs to and it should be trimmed to extract last 5 numbers as pert of group attribute in a saml assertion . Tried many regex expressions but nothing is working. please help.

Authentication

Top Rated Answers

Mihai N. (Okta, Inc.)
2 months ago
Hi @RajeshD.00986 (Customer) , Thank you for reaching out to the Okta Community!

I'm not seeing any Okta Expression Language function that would allow you to achieve this.
While the OEL allows for some "dynamic" use, the functions are still restricted to certain conditions.
Your group would have to adhere to some kind of strict naming convention, for example Group Name character length (i.e. all group names have 25 characters), or prefix/suffix (i.e. all group names start with "Group-SEC-*") and so on.
In those cases you could merge a series for functions to leverage string length or use subStringBefore/subStringAfter, or substring (String input, int startIndex, int endIndex - example: String.substring("This is a test", 2, 9) - where the result would be "is is a").

A good example of this is discussed here: https://support.okta.com/help/s/question/0D51Y000081mL8pSAE/okta-expression-language-to-pull-last-four-numbers-from-a-string?language=en_US

So if the value you expect is always going to be 6 characters, you could try to leverage that, but you also have to nest a group name value validation within that whole syntax.
Something like

String.substring((user.isMemberOf({'group.profile.name': 'wwwww-ddd-345678'}) ? user.getGroups({'group.profile.name': 'wwwww-ddd-345678'}):null), String.len((user.isMemberOf({'group.profile.name': 'wwwww-ddd-345678'}) ? user.getGroups({'group.profile.name': 'wwwww-ddd-345678'}):null))-6, String.len((user.isMemberOf({'group.profile.name': 'wwwww-ddd-345678'}) ? user.getGroups({'group.profile.name': 'wwwww-ddd-345678'}):null)))

- and this is assuming you are only dealing with one group.

The only recommendation I have left is to perhaps submit a feature request for a new function implementation that would allow for your use case via Okta Ideas.

If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.

Hope my answer helps!

--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added
Expand Post
Selected as Best

All Answers

Mihai N. (Okta, Inc.)
2 months ago
Hi @RajeshD.00986 (Customer) , Thank you for reaching out to the Okta Community!

I'm not seeing any Okta Expression Language function that would allow you to achieve this.
While the OEL allows for some "dynamic" use, the functions are still restricted to certain conditions.
Your group would have to adhere to some kind of strict naming convention, for example Group Name character length (i.e. all group names have 25 characters), or prefix/suffix (i.e. all group names start with "Group-SEC-*") and so on.
In those cases you could merge a series for functions to leverage string length or use subStringBefore/subStringAfter, or substring (String input, int startIndex, int endIndex - example: String.substring("This is a test", 2, 9) - where the result would be "is is a").

A good example of this is discussed here: https://support.okta.com/help/s/question/0D51Y000081mL8pSAE/okta-expression-language-to-pull-last-four-numbers-from-a-string?language=en_US

So if the value you expect is always going to be 6 characters, you could try to leverage that, but you also have to nest a group name value validation within that whole syntax.
Something like

String.substring((user.isMemberOf({'group.profile.name': 'wwwww-ddd-345678'}) ? user.getGroups({'group.profile.name': 'wwwww-ddd-345678'}):null), String.len((user.isMemberOf({'group.profile.name': 'wwwww-ddd-345678'}) ? user.getGroups({'group.profile.name': 'wwwww-ddd-345678'}):null))-6, String.len((user.isMemberOf({'group.profile.name': 'wwwww-ddd-345678'}) ? user.getGroups({'group.profile.name': 'wwwww-ddd-345678'}):null)))

- and this is assuming you are only dealing with one group.

The only recommendation I have left is to perhaps submit a feature request for a new function implementation that would allow for your use case via Okta Ideas.

If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.

Hope my answer helps!

--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added
Expand Post
Selected as Best

Recommended content

Forum

How can I pass attribute as part of saml request?

Forum

I used the SAML 2.0 template to build a new SAML app. The SP is telling me that I am missing required attributes from the assertion - First Name, Last Name and email. My understanding is that these are standard attributes. If not, how do I add?

Forum

SAML Custom Claim that uses only Part of GROUP name

Forum

How to pass the value of custom attribute in SAML assertion

Loading

Need last 6 characters of a security group name as part df saml assertion in an attribute