Hi All. Really hope you can help with this one!
We have an inbound SAML that is getting SAML from an IdP which is returning the roles in the credential as a CSV list in the Attribute assertion rather than using a AttributeValue element list as is more common for pure SAML.
I had a look at the requirements for SAML and found that what they are doing is perfectly valid. Using an AttributeValue list is only Recommended rather than the stronger Should or Must. (I assume this is intended to help support consumers of the authorization content in the assertion that are not very SAML aware. Something that separates the authentication (SAML) and authorisation (not SAML) into distinct systems.)
What I am wondering is how I might be able to flag to Okta that the groups in the SAML will be in a CSV list, or otherwise perform some preprocessing to put the role/group values in a form that would make Okta happy. Processing would of course need to occur prior to the Group Filtering is applied for the Inbound SAML.
(I tried a string array yet all this did was create an array with a single item that was the whole CSV string unsplit.)