We are trying to tie some custom metadata to IDPs in Okta. I see that I can define a “custom attribute” for an IDP in the profile section, however I don’t see where I can define a default value for this custom attribute. This is internal data that we are trying to define for IDPs, so there is nothing to map to in the “Profile Mappings” section.
For example: I want to add an attribute to IDPs called
idp_type, so that I can add types to different IDPs that I can use in my business logic.
The only way I can think to do this is to build my own service to hold custom data for an IDP, and add it onto a users JWT with inline hooks. Is there a more elegant way to do this in Okta without having to build my own service/datastore?
@esitzes Could you elaborate on how users are going to be registered? Do you have existing users this needs to apply to?
There’s a couple options I can think of, but they may not be useful to you. For example, if the users are synchronised in from AD or an LDAP, you can specify custom expressions to set default values.
If you have another app to register users, you could add some logic there.
Also, how are you going to use it and are all users going to have the same value?
If its consistent for all users, you could also have a static claim which never changes.
To either assert a static value or an okta attribute, you shouldn’t need inline hooks.
@abole we are still figuring out our user registration/onboard flow. Probably we will rely on JIT user creation in Okta when a user logs in for the first time.
Custom attributes: I dont think I can use custom attributes, because they require me to map the custom attribute to some attribute in the external IDP. In my case, Im trying to make internal-only fields, so there is nothing to map to in the external IDP.
Static claims: I have been experimenting on creating custom claims on our JWTs from Okta. However I can only add the claim on the token if the value exists on the user’s profile already. I need to figure out the above problem first: how do I create some internal-only field for the IDP that I can define with some static value.
So far the only way I can think to do this is to have my own database to store IDP-specific custom data. Then use an inline hook to call to a web service that looks up the custom data based off of
idp_id and attaches it to the JWT. However I was hoping there was something built-in to Okta that would let me accomplish this without having to write my own code and manage a new datastore.
If users are created JIT once they login via your other Idp, have a look at Map Okta attributes to app attributes in the Profile Editor | Okta.
You should be able to use Okta expression language on the inbound claims to test if there’s a value present and if not set a default.
Another idea is the other IdP is sets a static claim that you consume.
If you can live with putting users in a group instead of a new attribute, all users from that idp can be automatically added to a set group.
Thanks for the info on default values for Okta Expression Language! That was the piece I needed to figure this out.
In case anyone else has this problem, here are the steps I followed for adding a custom field to a user profile at the IDP level:
Add the Custom Attribute for the USER. I was adding Custom Attributes for the IDP, which is why it wasnt showing up in the mapping for me. Go to
Directory -> Profile Editor and select
Add the attribute you want
Go to the mapping for the IDP, and set up a default value for the Custom Attribute you just defined for the user profile. I got it to work with
String.stringSwitch in Okta Expression Language
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.