AD user not showing any AD groups?

jganderson · March 13, 2018, 9:30pm

I am using Open ID Connect from ASP.Net. I have synced my Active Directory using the agent. I enabled delegation to AD. I have modified the Authorization Server to create a ‘groups’ scope and expose the groups claim with regex: .*

When I make my request to the API, the response type is “code id_token token” and the scopes are “openid profile email groups”.

When I log in as an AD user, the login is successful, but the only group in the response to the userInfoClient.GetAsync call is “Everyone”.

Am I missing something to be able to see what AD groups the user is a member of?
Thank you

jganderson · March 14, 2018, 9:24pm

No response to this? Is there more information that is needed? I am happy to provide anything needed. I am stuck on this and can’t find any good answers why I am not able to get the users Active Directory groups to appear in the list of claims. Please help.

tom · March 16, 2018, 4:39pm

Regex only works on Okta groups, there was a performance issue associated with ad groups and regex that we couldn’t support. I followed up with the team (hence the delay) and it is on the roadmap for them to get this behavior in.

In the meantime, we recommend this article for getting groups isolated for an application for performance reasons:
https://developer.okta.com/docs/how-to/creating-token-with-groups-claim

Let me know if you have any questions about this.

tperronin · June 5, 2018, 12:11pm

Hi I have some question regarding the groups claim.

I’ve added claims in my default authorization server for openidc applications like this :

groups_ad Groups.startsWith("active.directory", "DL", 10) groups id Always
groups_okta groups: regex .* groups id Always

The groups_okta is showing up in the token_id but not the groups_ad.

The groups are synced from AD with active directory integration.
I am not sure about the parameter app in the expression of the claim. Is active.directory the good value
https://developer.okta.com/docs/how-to/creating-token-with-groups-claim doesn’t really help.

Thanks

LittleColin · November 20, 2018, 1:40pm

For me, using active_directory instead of active.directory worked (i.e. underscore instead of dot).

I tried this after seeing some examples here that used underscore: https://developer.okta.com/reference/okta_expression_language/

system · January 13, 2024, 12:00am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
How to get AD groups using OIDC with "groups" scope and Regex ".*" groups filter OAuth/OIDC	6	7638	January 13, 2024
How to add AD groups to users id_token (working example) OAuth/OIDC	15	11189	May 11, 2018
Custom Auth Server Not Returning AD Groups In Token Questions oauth	4	1896	February 15, 2024
Can't make access token show groups claim Questions	4	3420	October 7, 2020
How to get AD groups in id_token? OAuth/OIDC	7	11507	November 26, 2018

AD user not showing any AD groups?

Related topics