Create a group and assign the group to the APP (i.e.: “AppA-Group”)
Create a group rule that assigns an individual to the group based on a profile attribute (like: “hasAppA: True”)
To add a user to the app, now do:
Update user profile with “hasAppA: True” custom attribute
Even if you don’t like the custom attribute model of doing this, I highly recommend using group membership to drive application assignment vs. individual user assignments.
I’ve setup this exact approach and have a question regarding the custom attribute. It seems that the attribute has to be added to the general User profile and not the Application user profile.
Is there a way, either through self-registration using the hosted login, the custom login widget, a completely custom registration form or manually through the User API’s to capture an Application user profile custom attribute and use it during account registration? The reason for this is to, as you mentioned, examine the value of this attribute, and by way of a group rule, add the registrant to a particular group based upon this value.
I ask because if I want to capture, for example Title, which may be an Enum of values such as ‘Project Manager’ and ‘Analyst’, I’d rather not add this attribute to the User profile as it’s specific to a single custom application…at least for now.
Once the user has been assigned to the application, you can use application.user_membership.add event type in an Event Hook to call a web server that can check the payload for the user’s ID and specific application and populate the user’s Okta profile through API.
Thanks for your reply. Essentially my goal is this…
I have a custom react web application with a .NET core web api that I’m trying to setup groups/roles that are specific to this particular web application, so that I can apply authorization to these application level groups/roles. For example, I may have two organizational level groups, Internal and External. But within my application, I’d like to have 3 more granular groups, let’s say ProjectManager and Analyst, and it’s these groups I’d like to apply authorization.
What I’d like to do is find out the best practice for applying authorization to application level groups (groups within the application) by using Okta.
To achieve this, my thinking was to create a custom attribute on the application user profile, let’s call it appGroup. This attribute would be an Enum with two items, ProjectManager and Analyst. During user registration, I would then capture the value selected by the user, and by using a GroupRule, place the user in the appropriate Group based on their choice. The issue I’ve found is that it doesn’t appear as though I can set a custom attribute on the application user profile, either through the API or self-registration.
Essentially, organizational level groups are not helpful with authorization for this particular application. However, multiple other applications within our org would benefit from organizational level groups. This however is a custom, public facing web application.
I’ve been struggling with this for some time so any help would be greatly appreciated!
You can create a custom attribute inside the Okta user profile (Admin >> Directory/Users >> Profile Editor >> user (first option)), name it “app_x_groups” where x is the application name and have it as an enumerated value. This value can be completed during registration and added to the user’s okta profile.
Once this attribute is filled, we can send it to the application user profile through a mapping from Directory/Users >> Profile Editor >> your OIDC app >> Mappings >> second tab (Okta to OIDC app). We’ll need to set up on the left side user.app_x_groups (or how it was named).
Once the set up is complete, Okta will send the claim successfully to the application.
Thanks very much for this info! Using this approach, could I further extend this to implement a form of access policy/permissions that I could assign to each group (ex. projects:read, projects:write, etc.)
Ideally I’d like to be able to add the respective authorization to a .NET core middleware I’ve created.