Example of adding AD groups to groups claim in access token

Does anyone have an example of adding AD groups membership to a groups claim in an access token?

It looks like the only way to do this is with getFilteredGroups.

would it be something like this?

getFilteredGroups({“00gn335BVurvavwEEL0g3”, “00gnfg5BVurvavAAEL0g3”}, “(group.objectClass[0] == ‘okta:windows_security_principal’) ? 'AD: ’ + group.profile.windowsDomainQualifiedName : 'Okta: ’ + group.name”, 10)

I am assuming the whitelist is the list of groups that are valid for this app?

Yes, assuming the group IDs and group name expression you wrote evaluate properly, that is the pattern you would follow to get group claims into an access token.

There is more information at the following links:

https://developer.okta.com/docs/how-to/creating-token-with-groups-claim.html

https://developer.okta.com/reference/okta_expression_language/#getfilteredgroups-details

I have the basics working. Do I have to use Group IDs or can I use the name?

Next, I want to add this to the app profile.

I am doing the following:

POST https://tenant.okta.com/api/v1/apps/<App ID>
{
“profile”: {
“groupwhitelist”: [
"<group ID>",
"<group ID>"
]
}

}

It returns

{
“errorCode”: “E0000022”,
“errorSummary”: “The endpoint does not support the provided HTTP method”,
“errorLink”: “E0000022”,
“errorId”: “oaeGAz0uNuMQiigDTQY-RgcAQ”,
“errorCauses”: []
}

Are you posting the full object, or just the profile property?

Just the profile.

I have an existing app that I want to add the profile to.

You’ll have to post the full object. You can do a GET, then add the profile property to it, and POST it back.

Will it keep the same Client ID?

Yes. You can also do a PUT with

{
    "name": "<app_name>",
    "label": "<app_label>",
    "status": "ACTIVE",
    "signOnMode": "OPENID_CONNECT",
    "profile": {
        "whitelist": [
          "fooo"
        ]
    }
}

Just include the existing values for “name”, “label”, “status”, and “signOnMode”.

{
“errorCode”: “E0000022”,
“errorSummary”: “The endpoint does not support the provided HTTP method”,
“errorLink”: “E0000022”,
“errorId”: “oaeTG5qSqqQTEquPtEjAIndlQ”,
“errorCauses”: []
}

Is it a different endpoint? I am using https://tenant.okta.com/api/v1/apps

Here’s the full request:

curl -X PUT \
  https://<myOrg>.oktapreview.com/api/v1/apps/<appId> \
  -H 'accept: application/json' \
  -H 'authorization: SSWS <redacted>' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -d '{
    "name": "oidc_client",
    "label": "Native OIDC app",
    "status": "ACTIVE",
    "signOnMode": "OPENID_CONNECT",
    "profile": {
        "whitelist": [
          "fooo"
        ]
    }
}'

I was missing the App ID.

Thanks for your help.

Is it possible to somehow add the AD groups from Azure AD, where I cannot use the Okta agent to import the groups?

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.