How to add AD groups to users id_token (working example)


#1

Hi Everyone

I’ve seen a small number of questions that provide links on how to do this but I’m looking for an actual step by step example. Has anyone actually successfully included AD groups in the OKTA application user’s token.
At present all I can see is when an AD logs into an OKTA application via OIDC then the userInfo endpoint only shows the OKTA groups and not the AD group it belongs to.

I would appreciate if there is an actual real example to show how this is achievable.
Thank you


#2

Hey @tmarziano - are you already adding normal (non-AD) groups to the ID token?

For reference: https://developer.okta.com/docs/how-to/creating-token-with-groups-claim.html


#3

Hi Nate

Thank you for your response. Yes I can see OKTA Groups in the ID token but not any AD groups. So, if an AD user logs in via OKTA the id token does NOT show the AD group but only the OKTA group it belongs to.

Also, with regards to the link you posted, I’ve seen this but am a little confused with “Step Two: Add List of Groups to Profile of Client App”. Its probably easy but was not able to find this in the UI.


#4

Hey @john.gronberg - I’ve also added Okta groups to a token, but never tried it with AD groups. Are separate steps required for that? Do we have a specific set of instructions for that?


#5

@tmarziano For AD groups, you’ve got to follow the whitelisting approach in the doc Nate linked to.
There isn’t a UI option at this time.

We will be adding a more robust expression language function to do string matching on Group names in the future, which will apply to Okta as well as AD groups. Keep an eye on our change log for when that becomes available.


#6

Hi John
Thank you (and Nate) for your help.

I’ve done a POST as follows:

https://dev-297076-admin.oktapreview.com/api/v1/apps/

{
    "name": "oidc_client",
    "label": "CASUPPORT_OKTA_NATIVE",
    "status": "ACTIVE",
    "signOnMode": "OPENID_CONNECT",
    "profile": {
        "groupwhitelist": [
          "00gbso71miOMjxHRW0h7"
        ]
    }
}

and I get the following error:

{
    "errorCode": "E0000022",
    "errorSummary": "The endpoint does not support the provided HTTP method",
    "errorLink": "E0000022",
    "errorId": "oae7duOMFWqS3SiZwiLUNJOlg",
    "errorCauses": []
}

I’ve checked the appID and its correct since when calling the URL in the browser I get back json data.

Any ideas?


#7

I switched from POST to PUT and that succeeded BUT now with the above whitelist entry for a single AD Group, I created a custom claim with the following expression:

getFilteredGroups(app.profile.groupwhitelist, “group.name”, 40)

NB: Literally pasted the above expression

Yet it does NOT work I do NOT see the AD group in the user’s token

Any suggestions would be greatly appreciated.
Thank you


#8

What does your id_token request look like? Are you sure the user is a member of the whitelisted group?


#9

Yes, the groupid in the whitelist is ‘00gdkn3mrkSqcE2n00h7’ which is:

{
    "id": "**00gdkn3mrkSqcE2n00h7**",
    "created": "2018-01-09T23:01:06.000Z",
    "lastUpdated": "2018-01-09T23:01:06.000Z",
    "lastMembershipUpdated": "2018-01-09T23:01:06.000Z",
    "objectClass": [
        "okta:windows_security_principal"
    ],
    "type": "APP_GROUP",
    "profile": {
        "name": "Domain Users",
        "description": "CASUPPORT.support2016.ad.hursley.ibm.com/Users/Domain Users",
        "windowsDomainQualifiedName": "CASUPPORT\\Domain Users",
        "groupType": "Security",
        "groupScope": "Global",
        "samAccountName": "Domain Users",
        "objectSid": "S-1-5-21-2369833120-3074229025-114115762-513",
        "externalId": "rTYxz7hheUK3db9G0StWMg==",
        "dn": "CN=Domain Users,CN=Users,DC=CASUPPORT,DC=support2016,DC=ad,DC=hursley,DC=ibm,DC=com"
    },

The userinfo shows only the OKTA group “ADGROUP”:

userinfo: {"sub":"00udkg9wxf0cMv2E50h7","zoneinfo":"America\/Los_Angeles","email_verified":true,"updated_at":1515539206,"name":"TM1 USER",**"groups"**:**["ADGROUP","Everyone"]**,"preferred_username":"tm1@CASUPPORT.support2016.ad.hursley.ibm.com","locale":"en-US","given_name":"TM1","family_name":"USER","email":"tm1@CASUPPORT.support2016.ad.hursley.ibm.com"}

AD as whitelist for getFilteredGroups
#10

Am I correct in saying this will only work if you have API Access Management and a custom authorization server with the groups claim defined as above? I seem to recall reading that AD groups can’t be passed using the default Okta Authorization Service (ie. the one OIDC apps use out of the box).

The very last comment in this support post mentions it:

https://support.okta.com/help/answers?id=9062A000000XZqXQAW&feedtype=SINGLE_QUESTION_DETAIL&dc=xOkta_API&criteria=OPENQUESTIONS&

Cheers,

Richard


#11

Hi Richard
Thank you for your response. In looking at that comment you mentioned, it seems to be a contradiction. See below:

OpenID Connect Group Claim Retrieves Application Groups

"OpenID Connect, which uses the Okta Authorization Server, can retrieve application groups for use in tokens. Previously, application groups could only be retrieved with the Custom Authorization Server.

You can use the Okta Expression Language getFilteredGroups function to retrieve application groups."

Is this not the case?


#12

Anyone have any suggestions on how to get AD groups into a users ID_Token/Access_Taken as a claim?


#13

Hi Tony. The only way I’ve been able to get this working is using the custom claims and logic from my original link. If you’re licensed for API Access Management, it should work.


#14

Hi Richard

Thanks for your reply. I’m currently subscribed to the developers org (preview) but if you have an example I’d appreciate it.


#15

Hi Everyone

Does anyone have an actual example of successfully adding Active Directory Groups to a users id_token?
Followed everything from the above but still not working.
Any help is greatly appreciated.
Thanks