Trouble retrieving Active Directory groups in OpenID Connect claims

stevek · April 22, 2021, 9:28pm

I’m having trouble getting AD groups included in OIDC claims.

I did the following tests based on the information here:
https://support.okta.com/help/s/article/Can-we-retrieve-both-Active-Directory-and-Okta-groups-in-OpenID-Connect-claims

In the Okta OpenID Connect app, I tried setting the Groups claim expression to:
Arrays.flatten(Groups.startsWith("OKTA","",100)) - returns all Okta groups
Arrays.flatten(Groups.startsWith("OKTA","",50)) - returns all Okta groups
Arrays.flatten(Groups.startsWith("OKTA","",5)) - returns no claims with error “The ‘groups’ user claim could not be evaluated” (??)

In Okta Admin, if I go Directory > Profile Editor > Directories tab, the single profile has a variable of active_directory, so I tried:
Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("active_directory","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("active_directory","",100))

And got empty claims with error:

The error message returned is:
=The ‘groups’ user claim could not be evaluated.

When I go to Directory > Profile Sources, there’s a single ‘Active Directory’ source with a variable name of msc.internal, so I tried:
Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("msc.internal","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("msc.internal","",100))

And this returns all Okta groups. This would indicate to me that the Groups.startsWith("msc.internal","",100) actually returned something but it was empty.

Any help appreciated, thanks.

Lijia · April 23, 2021, 3:37am

@stevek
The error msg means your current custom claim is not setup correctly.
“The error message returned is:
=The ‘groups’ user claim could not be evaluated.”

Do you have AD groups? If you have, try the simplest syntax and see if it returns any AD group
Groups.startsWith(“active_directory”,"",50)

stevek · April 23, 2021, 4:26am

Thanks @Lijia for your response.

We have hundreds of AD groups. I can see them all with a Windows icon next to them when I navigate in Okta to /admin/groups.

I entered the expression you suggested and get the response:

error:
server_error

error_description:
=The ‘groups’ user claim could not be evaluated.

Lijia · April 23, 2021, 3:32pm

@stevek There can only be a maximum of 100 groups per token. If you have more than 100 AD groups returned, you will see the error.
Can you please try to fill in one of your AD group name in the below syntax and see if any group can be returned?
Groups.startsWith(“active_directory”,“AD group name”,50)

stevek · April 27, 2021, 12:44am

Ahh thanks @Lijia , I had thought the limit in the startsWith(app_type/app_instance_id, pattern, limit) function was to limit the number of groups returned. What does the limit refer to?

Lijia · April 27, 2021, 10:16pm

@stevek Np. It does limit the group number, but the maximum number of groups in a claim is 100. If your request response has more than 100 groups. You will get the error.

stevek · April 27, 2021, 10:35pm

I see, thanks for your help @Lijia