How to get AD groups using OIDC with "groups" scope and Regex ".*" groups filter

Having implemented OIDC based SSO for a client the issue seems to be that I get the Okta groups back in userinfo with the “openid email groups” scope but not the AD groups.
What kind of setting (if possible) is needed to be done to be able to get AD groups also

Are your AD groups currently mapped to Okta groups? (do they show up in the admin console when looking at a user’s groups?)

I don’t quite get what you mean by “AD Groups mapped to Okta Groups”. There are Okta groups which were created inside Okta itself and there are AD groups, Both of which can be seen in the admin console. Interestingly the AD groups are without a “X” besides them (so they can’t be deleted as expected).

But when I get the userinfo details back it sends only those groups created specifically inside Okta but not the AD groups the user belongs to,

How does one go about mapping AD groups to Okta Groups or better still get both sets of groups? This answer : How to get AD groups in id_token? seems to suggest that this is not possible unless one runs a custom authorization server (which our client doesn’t). Is that still true?

Yes getting AD groups is little tricky, you need to do is use Group ID.

Try below
a) Add Claim --> Select Token( Access or ID token)–> Value Type–> Expression–> Value --> User Regex( with group id) [ e.g : getFilteredGroups({“group id1”, “group id2”}, “group.name”, 40) ] --> include scope…

I hope this helps.

Thanks
Siva Desetti

1 Like

Tried that (note that our client is not running a custom authorization server). Instead of Filter used expression and then set regex to getFilteredGroups(…] but it is still not pulling in the AD groups.

It should work on default AuthZ server as well, or try creating one for testing. Make sure you are stamping claim correctly. Can you share you getFilteredGroups query