We recently added Okta SSO to one of our products, using the OIDC authentication standard. It’s a multi-tenant product, so each of our customers has its own Okta organization and controls which users can access the product through Okta’s dashboard, by assigning/unassigning people to/from our Okta OIDC OIN app.
Besides allowing our customers to define the people who can access our product, we would also like to allow our customers to determine what features those people should have access to within our product. Right now, they can do that on a page of our product, but they would like to control that from Okta’s dashboard as well, similar to how they define the people who have access to the product.
We first tried to do the above by leveraging the Okta groups. The idea was to read the groups the user was assigned to during the sign-in flow and determine the features the user has access to based on these Okta groups. However, we later found that Okta doesn’t give us access to the users’ groups during the OIDC sign-in flow unless that user is an organization administrator, which is not always the case.
Then we tried to add a new user profile attribute, read that attribute during the sign-in flow, and use that to determine the features the user has access to. But that also didn’t work, as we don’t have access to any custom profile claims during the OIDC sign-in flow. Only the default profile attributes are available (when the
profile scope is specified).
Does anyone have a recommendation on how we can manage permissions within our product from Okta’s dashboard somehow?