Adding Active Directory Group Name Membership in ID Token

EDIT:

I think i found the correct AD attribute thanks to stackoverflow, I just have a question about using Okta Expression Language now on this post Custom Claim using AD attribute `memberOf`

Hi,

Quick context, I’m using an Okta’s Active Directory Agent. Right now I’m using a non-developer okta trial account with the API Access Management Feature also enabled.

What I would like to do is add a custom claim to the ID token with the field containing all the Active Directory Groups the user is a member of. I wrote a custom claim, but I am unsure which Active Directory Attribute corresponds with the Groups that a user is a member of. I tried searching for Active Directory documentation online, but couldn’t find anything that has human friendly descriptions for the attributes. (Stackoverflow https://stackoverflow.com/questions/51032887/which-active-directory-attributes-map-to-groups-the-user-is-a-member-of)

After reading the short descriptions that Okta has on the menu where you choose which attributes you want to import from AD, “msSFUPosixMemberOf” seems like it’s what I want. It returns an array.

I’ve written the custom claim like this.

But my ID Token doesn’t have a new claim containing any information.

I added a dummy custom claim (“newClaim”) to the ID token to see if that functionality works. I also did a clean full import from AD, but my new claim still didn’t show up.

So my questions are is this the right AD attribute to get Active Directory groups? Also did I write my statement using Okta’s expression language correctly?

Thanks!

resolved

2 Likes