Prefix label for groups value in SAML response

kmawhinney · February 1, 2025, 5:58am

Although a lot of platforms are heading away from on-prem configurations, but in some cases we need to pass assertion in the “old” format in the SAML response. I am looking for the “new” way of passing downlevel format of groups in the SAML assertions.

We used to be able to do this by adding the Groups claim in the Attribute settings as follows.

This will result in the SAML response having the Groups attribute value of “Domain\Groupname”

<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >Domain\Domain Group</saml2:AttributeValue>

The current state of Okta Group filtering doesn’t allow this anymore, it would seem.

kmawhinney · February 1, 2025, 7:26am

Alright, I figured it out; something that I had forgotten. The Regex [Domain\\].* does exactly what it is supposed to do.

the Regex is filtering for all groups with the prefixes of Domain\ and adding it to the SAML assertion. The ,* is a wildcard, and the second \ is the escape character.

The caveat is that an Okta group has to exist with the Domain\ prefix. On-prem AD will come across as the group’s friendly name without the Domain qualifier. Therefore, you will need to create an Okta group and add a Group Rule that will take an AD group and add it to the Okta group.

Examples:

Create a couple of Okta groups with the prefix Test\.

Test\Test Users
Test\Admins

Then configure the Group Attribute Statement:

The Regex matching of [Test\\].* will find all groups with the Test\ prefix and add it to the SAML assertion.

 <saml2:Attribute Name="Groups"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >Test\Test Users</saml2:AttributeValue>
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >Test\Admins</saml2:AttributeValue>

system · February 4, 2025, 9:30am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Need to pass a substring of Okta groups name on SAML assertion Questions	2	3473	August 12, 2021
How to get user's groups in the SAML assertion SAML	4	5817	November 4, 2019
How to append prefix in group name while returning in SAML Response Questions	1	2179	February 12, 2024
Okta Group SAML assertion to Application Groups/ Roles SAML	2	3757	December 18, 2019
SAML Configuration NameID Format SAML saml	1	8982	February 12, 2024

Prefix label for groups value in SAML response

Related topics