Return Saml groups of a User

I have a simple SpringBoot web app authenticating against Okta using Saml, works fine.
However I’d like Okta to return the group(s) that a user belongs to, this doesn’t seem to work for me.
In Spring it’s referred to as the Authorities but this isn’t being filled for me.

Do I have to configure anything extra to return the group(s) in a variable?
I saw an edit screen for " Group Attribute Statements (optional)", is this what I should be looking at?
Does this value get used in the profile mapping or is that something different?

Sorry for the newbie questions


Is it possible that you could use OIDC instead of SAML? I know how to get the groups with OIDC.

Hi - I am trying to simulate how a different another application ( I don’t have direct access to) works which can only use Saml.

However, I would be interested in understanding how OIDC does this as I may have a need for this in the very short term.

Thanks for your swift response!

With OIDC, you can add a “groups” claim that will be in your ID token. You’ll need a developer account from to use OIDC.

Navigate to API > Authorization Servers , and click on the default server. Click the Claims tab and Add Claim . Name it groups , and include it in the ID Token. Set the value type to Groups and set the filter to be a Regex of .* . Click Create .

1 Like

You would need to implement your ‘SAMLUserDetailsService’ that would return the corresponding ‘UserDetail’ instance with the rights ‘Authorities’ granted to the user.

You would need to pass list of groups using ‘Group Attribute Statements’ in Okta.

Then, you would have to retrieve the list of groups from the SAMLCredential (something like String[] str = credential.getAttributeAsStringArray("groups") and you would have to map these values with the list of authorities defined in your application.

1 Like

Thanks for the response - this works as desired!