Login/Register
Getting list of groups user is associated with in Okta
Asked Answered
Solved saml-2.0oktaokta-api
T

1

11

I'm trying to integrate with Okta SSO by implementing SAML 2.0 in my website as Service Provider (SP) and Okta env. as my Identity Provider (IDP) I can't understand how to configure my IDP to return for each Auth request, the groups a user is in. How can it be done?

Also, Is it possible to have service account in my IDP that my backend can ask the IDP directly if a user is inside some specific group?

Teofilateosinte answered 9/3, 2016 at 13:43 Comment(0)
T
22

It is possible to add groups to the SAMLResponse by configuring the SP App in the Okta admin dashboard correctly. In order to do it for an existing app, Go to Admin panel and edit the SAML settings to include a Group attribute statements. For instance, If you want to expose all groups containing the word admin to your SP, add a field with a proper name (i.e groups) and specify a regex filter with value .*admin.*.

The SAMLResponse will contain the following node after configuring correctly:

<saml2p:Response 
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
    ......
    ......
    <saml2p:Status 
        xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode 
            Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion 
        ......
        ......
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
        <saml2:AttributeStatement 
            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:Attribute 
                Name="groups" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue 
                    xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">admins_group_1
                </saml2:AttributeValue>
                <saml2:AttributeValue 
                    xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">it_admins
                </saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

Note that groups will contain all groups containing the word admin, no matter if its an Okta group, AD group etc..

Teofilateosinte answered 4/5, 2016 at 4:45 Comment(2)
i must admit that i've struggled with this filter business. i didn't want to add a filter. i wanted all of the user's groups.Profitable
@buddy123, if i want to list all the groups the user belongs to, is it enough to write name groups and regex *? And also if i am using another provider like Cognito how can i transfer that over there?Ability

© 2022 - 2024 — McMap. All rights reserved.