Adding Active Directory Group Name Membership in ID Token


I think i found the correct AD attribute thanks to stackoverflow, I just have a question about using Okta Expression Language now on this post Custom Claim using AD attribute `memberOf`


Quick context, I’m using an Okta’s Active Directory Agent. Right now I’m using a non-developer okta trial account with the API Access Management Feature also enabled.

What I would like to do is add a custom claim to the ID token with the field containing all the Active Directory Groups the user is a member of. I wrote a custom claim, but I am unsure which Active Directory Attribute corresponds with the Groups that a user is a member of. I tried searching for Active Directory documentation online, but couldn’t find anything that has human friendly descriptions for the attributes. (Stackoverflow

After reading the short descriptions that Okta has on the menu where you choose which attributes you want to import from AD, “msSFUPosixMemberOf” seems like it’s what I want. It returns an array.

I’ve written the custom claim like this.

But my ID Token doesn’t have a new claim containing any information.

I added a dummy custom claim (“newClaim”) to the ID token to see if that functionality works. I also did a clean full import from AD, but my new claim still didn’t show up.

So my questions are is this the right AD attribute to get Active Directory groups? Also did I write my statement using Okta’s expression language correctly?