Combine custom group attributes to one SAML attribue

Example groups to support below
Multiple groups have been created with custom attributes, one of these attributes is called: Organization_Tree.
Group name = GroupOTA > Organization_Tree = \SP\BB\A
Group name = GroupOTB > Organization_Tree = \SP\BB\B
Group name = GroupOTC > Organization_Tree = \SP\BB\C

user1 is member of GroupOTA, GroupOTB & GroupOTC

SAML Attributes
A custom attributes to the directory profile has been addded, called Organization_Tree (Attribute Type = Custom, Data Type = String, Variable Name = Organization_Tree). This is one of the SAML attributes that needs to be provided during SAML authentication. This value must exist out of multiple comma separated values.

The goal would be that when the user authenticates, the custom attribute, Organization_Tree, from all groups user1 is member of are combined to one comma seperated value. In the example above this will then result in: “\SP\BB\A,\SP\BB\B,\SP\BB\C”

In the application the user authenticates to, this would provide access to team A, B & C.

Profile Editor options
In the User Profile Mappings, that will set the User Assignments, it’s not possible to address the custom attributes from a group, this means that only following options are possible:

  1. Hardcode multiple if true/false statements:

String.join(",", isMemberOfGroupName("GrouOTA") ? '\SP\BB\A' : '', isMemberOfGroupName("GroupOTB") ? '\SP\BB\A' : '', isMemberOfGroupName("GrouOTC") ? '\SP\BB\A' : '')

  1. Name the groups with the value that would be set in the custom attribute and return that value in an array with getFilteredGroups:

Arrays.toCsvString(getFilteredGroups({“0011111116”,“0011111116”,“0011111116”,“0011111116”,“0011111116”,“0011111116”}, “”, 9))

However these two options reside on hard coded mechanisms, require manual effort when a new group is added.and beat the purpose of having custom group attributes to use a SAML attribute.

Why isn’t is possible to address custom group attributes in the expression language? This would allow logic like so:

IF isMemberOfGroupNameStartsWith(“GroupOT”)
Then for each group the account is memberof DO:
SAML.OrgTreeAttribute.Value= group.organization_tree.Value & “,”


  • SAML.OrgTreeAttribute.Value = Organiztion_Tree attribute of the SAML request
  • Group.Organization_Tree.Value= the value of the attribute “Organization_Tree” that exists on the OKTA group
  • “,” is the separator. That can of course be any other value.

Or is it possible to retrieve the details from a group and address that as “group.customattribute” as with option 2?

Arrays.toCsvString(getFilteredGroups({"0011111116","0011111116","0011111116","0011111116","0011111116","0011111116"}, "group.Organization_Tree", 9))