[IdP] Assigning groups

Forge Component
(32)
Published on 16 Apr (5 days ago) by Telmo Martins
32 votes
Published on 16 Apr (5 days ago) by Telmo Martins

I've followed the OKTA SAML IPD instructions for setup that I have found information regarding at the following links:


http://ricardogonzaga.outsystemscloud.com/IdP/#ConfigureSAML
https://www.outsystems.com/forge/component-overview/1696/idp-example
https://www.outsystems.com/forums/discussion/33283/okta-saml-loading-the-attributes-into-users/


Everything appears to be working correctly with the exception of two items:

1. When users log out, they are redirected to the Outsystems login page instead of the OKTA login page.

2. Groups are not getting populated. In my custom claims in Outsystems I have followed the example and placed "http://schemas.xmlsoap.org/claims/Group". In Okta I have configured the group attributes name as "group". In OKTA my user is assigned to "TestGroup" and I have created "TestGroup" in Outsystems but when I log in with the new user they are only assigned to the IDP onboarding group. I have been looking for detailed documentation on usage but aside from examples I have not found any, so please let me know if I am missing some reference material that I can use.


Thank you!

Hi Charles,


Regarding 1), please follow the instructions page of the component itself, ie, (https://<your_host>/IdP)

2) In IdP configuration page, you must configure the claim on Groups claim (and not custom claims), in order to assign automatically those groups to the OutSystems user.


Regards

Telmo Martins wrote:

Hi Charles,


Regarding 1), please follow the instructions page of the component itself, ie, (https://<your_host>/IdP)

2) In IdP configuration page, you must configure the claim on Groups claim (and not custom claims), in order to assign automatically those groups to the OutSystems user.


Regards


Thank you so much for the rapid response. I will follow instruction for #1. As far as #2, I misspoke, my apologies. I did have that string configured in the group claim, not in "custom claims", but it still does not work. I've been trying to apply breakpoints in the producer to figure out where I can check for group assignments in the IDP module but no luck so far.


  

Hi,

If you are on OS11, you can copy paste the response xml from the logs message and test it on the Test Message screen. It will tell you which claims are mapped and the ones that are not mapped (and the respective name that has to be mapped).

Regards

Sadly I was spun up in a brand new environment last month on 10 due to a security product that we bought from Outsystems not yet being being available and I'm waiting for the upgrade to 11. OKTA is for a POC anyway, we have our own SAML provider and I was attempting to familiarize myself with a working POC before attacking our in-house system. At this point I'll wait until we are implementing the real thing, which will hopefully be on 11, before bothering you any further - thanks so much for this excellent provider though!

Hi,

Sure, no problem. Before debug and check it out, would just say to before confirm the exact attribute in the xml response message (log screen) and confirm that in the configuration we set the same name on the mapping.

Regards

Solution

Telmo, some documentation that I looked at, which I unfortunately can't find anymore, said that I should place "http://schemas.xmlsoap.org/claims/Group" in the groups claim. Thanks for your pointer to the logs, where I could see that they were coming across as a "group" assertion. My correction of that parameter in the IPD config screen to "group" corrected the issue and my user is automatically placed in the group. Thanks so much for your help on this!

Charles


Solution

Hi,

Ok, so on the message logs screen, check the last entry of LoginResponse type. Check the xml message, where at some point you should found a node called "AttributeStatement". Inside this node it should be the list of assertions, one of them should have the group, like <saml2:Attribute Name="<Group_name_here>" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">.......

The value that you must set on the claims configuration screen for Group claim it's the <Group_name_here> value.

Regards