Pass list of roles instead of single value?

Currently, our TestCo Okta is able to pass ‘testrole’ with one of a few different values, e.g. ‘admin’ or ‘user.’ If a user has multiple ‘testrole’ attributes (based on group membership) then Okta has a precedence order that determines which one ‘testrole’ value it will return.

We need to be able to handle passing a list of roles from IdP to Cognito to our API. For example, a string of ‘admin, user, readonly, section-admin’. So adding a claim inside the ‘authorized servers’ --> default won’t work for us.

Is there a reason you cannot use a group function to pass the groups as roles, i.e.:


Otherwise can you use the array functions:

Hi Govner, I’m an absolute beginner at Okta and got handed resolving this issue by our tech lead. I’m sorry for my ignorance, but where would I apply that at? And it will get all the roles from whatever groups the user may be in and pass them as a list in the SAML?