I’m having trouble getting AD groups included in OIDC claims.
I did the following tests based on the information here:
https://support.okta.com/help/s/article/Can-we-retrieve-both-Active-Directory-and-Okta-groups-in-OpenID-Connect-claims
In the Okta OpenID Connect app, I tried setting the Groups claim expression to:
Arrays.flatten(Groups.startsWith("OKTA","",100))
- returns all Okta groups
Arrays.flatten(Groups.startsWith("OKTA","",50))
- returns all Okta groups
Arrays.flatten(Groups.startsWith("OKTA","",5))
- returns no claims with error “The ‘groups’ user claim could not be evaluated” (??)
In Okta Admin, if I go Directory > Profile Editor > Directories tab, the single profile has a variable of active_directory
, so I tried:
Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("active_directory","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("active_directory","",100))
And got empty claims with error:
The error message returned is:
=The ‘groups’ user claim could not be evaluated.
When I go to Directory > Profile Sources, there’s a single ‘Active Directory’ source with a variable name of msc.internal
, so I tried:
Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("msc.internal","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("msc.internal","",100))
And this returns all Okta groups. This would indicate to me that the Groups.startsWith("msc.internal","",100)
actually returned something but it was empty.
Any help appreciated, thanks.