I'm trying to integrate with Okta SSO by implementing SAML 2.0 in my website as Service Provider (SP) and Okta env. as my Identity Provider (IDP) I can't understand how to configure my IDP to return for each Auth request, the groups a user is in. How can it be done?
Also, Is it possible to have service account in my IDP that my backend can ask the IDP directly if a user is inside some specific group?
It is possible to add groups to the SAMLResponse by configuring the SP App in the Okta admin dashboard correctly. In order to do it for an existing app, Go to Admin panel and edit the SAML settings to include a
Group attribute statements
. For instance, If you want to expose all groups containing the wordadmin
to your SP, add a field with a proper name (i.e groups) and specify aregex
filter with value.*admin.*
.The SAMLResponse will contain the following node after configuring correctly:
Note that groups will contain all groups containing the word
admin
, no matter if its an Okta group, AD group etc..