[IdP] Support for multiple group assertions

Forge Component
Published on 9 May by Telmo Martins
34 votes
Published on 9 May by Telmo Martins

We are using OKTA and security groups sync'd with our AD.  The IdP works great for the auto-provisioning of users and assigning/creating of groups.

However, we have a quite large list of security groups (all of which we don't want to be imported as user groups in OutSystems) and with a rather complex OU hierarchy.  OKTA doesn't support looking at the hierarchy when creating the group assertion statements, only the group name itself. This would have made writing the statements rather easy as I could just ask to send all groups for a particular OU.  I'd like to avoid writing complex RegEx expressions to pull out the user groups by name for ease of maintainability.  I was hoping that I could create multiple group assertions statements in OKTA and simply have a comma delimited list of Groups in the IdP Claims.  For example: "group1,group2"  The SAML_Process actually does a nice job of splitting the Group attribute into "group1" and "group2" with a comma-delimited list of groups from the SAML statement in each one - but when it goes to assign the user data (DataToUserData), it's trying to match the full string from the iDP_AttributeGroupName field (i.e. "group1,group2") to the list names and it's unable to make a match.

I'd like to suggest this as a possible enhancement in a future version.  I'm not intimate with the entire application's code - but it doesn't appear to require a lot of changes.

Hi ChrisRE,

Currently the component takes the group attribute, like <Attribute name="<Group_name>"><AttributeValue>group1,group2,group3</AttributeValue></Attribute>, and already add group1, group2 and group3 to that User. So "group1" for instance should be a valid group name in OS.

Didn't fully understand your use case. Can you provide some xml examples of what's the Group node returned by OKTA look like?


For example SAML Attribute Statement section below, I've created two group assertion statements in OKTA. The first group looks for the string "Product" in the security group name, the second looks for the string "Notification" in it. Each one has its own Name, "group1" and "group2".  In each, there are 4 and 3 security groups respectfully. 

If I use the string "group1" in the IdP Group Claims, it works great.

I was looking to concatenate both lists from "group1" and "group2" so that all 7 security groups are evaluated against the users groups.

<saml2:Attribute Name="group1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">New Product Pre-Order Processing</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">New Product Development</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">New Product Operations Workflow</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">New Product Sales Training</saml2:AttributeValue>
<saml2:Attribute Name="group2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Usage Notifications</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Operation Notifications</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Telus Notifications</saml2:AttributeValue>


In that case and if group1, group2, etc are previous known, would suggest to add them as Custom claims. A small customization will be needed to capture all those groups values (using GetCurrentUserClaims action for instance) and use that as input of SAML_Groups_Process action call.