we’re using Okta as a SSO and management tool (to define rools / access within the company etc.).
I was wondering if there is a possibility to limit access within an App integration via Okta which would result in limited access within the App itself?
For example: Tool X has certain predefined roles (admin, user, viewer etc.) which entails various rights and access to data. Employee 1 should have admin access, employee 2 user access and so on.
A common strategy I see, particularly for OIDC apps, is to use Group membership assignments to control application permissions/roles, for example, having AppA_Admin, AppA_User, and AppA_Viewer groups within Okta. You would then need to configure a groups claim (OIDC) or attribute statement (SAML) to ensure these groups were available/sent to the application in question. Your application could then use this group membership claim/attribute to confer the appropriate application permissions to the user.
Thanks for the quick turn around! Its not limited to a specific app but more general. Lets say we want to implement Airship which has pre defined roles (Admin, full access, Reports etc.) within the application or something like Zendesk. Depending on the role assigned to you, you would have access to different data.
I’m asking because otherwise we would need to manually set up the roles within the application itself, everytime we’re granting a new user access to it.
So in the end its about limiting authorization through okta I guess.
I guess it would depend a bit on what you could map into from Okta that the SP would recognise as a role. In my example of using a groups claim, the tokens issued for users would contain a list of group names that could then be mapped to roles on the SP side.
Can any of the SPs you’re working with handle that kind of mapping?