[IdP] Populating groups

Forge Component
(37)
Published on 4 Aug (14 days ago) by Telmo Martins
37 votes
Published on 4 Aug (14 days ago) by Telmo Martins

I have an okta environment and i need to configure idp.

In okta i defined 2 groups: Administrator and Employee, and i have given the groups to the users.

In my Outsystems environment i also have the groups Administator and Employee.

When a users logs in, its firstname, lastname, email are transfered from okta to outsystems. But now the group also needs to be transfered. I have defined it like this but that does not work. The Spilt Chr is ","

Also when in Outsystems i have defined groups to the user, those groups are removed, so it does something with the groups. 

It is not a solution to leave the field Groups empty, and define the groups to the users in Outsystems, because we have a lot of users and it must be automatically.

How can i solve this?

Hello Marlies, 

I think the Groups configuration in IdP is the name of the attribute that comes on the claim from Okta, not the names of the groups itself. 

I think IdP will use this to map the attribute in the claim and find the groups it is receiving to the existing groups in OutSystems. 

As the name of the attribute is wrong, it is not finding it and is deleting any group the user in OutSystems is already in... 

See here someone with a similar problem: https://www.outsystems.com/forums/discussion/44900/assigning-groups/

Cheers

Hello Eduoardo,

What you described, and in the similar problem, that works for only one group. But we have 2 groups.

The situation is that is, that in okta a user gets one of the 2 groups, so in Outsystems, the user must be coupled to the right group, that is the same group as described in Okta. So in my example above, when i only do Administrator or Employee, it works well. But combine them with a "," does not seem to work.

How can i solve that?

Hi Marlies, 

That is not how the Groups work in IdP, I think... 

The problem seems that your Okta groups are not standard ones... As they should come all in a single attribute, and it seems they are coming as their own attributes... 

Take a look at this post :

https://www.outsystems.com/forums/discussion/37897/support-for-multiple-group-assertions/

The first answer is what IdP is expecting... 

As mentioned in the last answer you probably need to use a custom attribute in IdP to make it work... 

Could you put here the log of the answer from Okta so we could take a look on how it is sending the groups? 

Cheers

This is the xml

 </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="id1858372537630331115755100" IssueInstant="2019-08-15T08:11:28.645Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk11i5van3LSF6i1357</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">marlies.quaadgras@transfer-solutions.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="id_t20_f41470aa743c4314ae9de59b49732602" NotOnOrAfter="2019-08-15T08:16:28.645Z" Recipient="https://development.outsystems.transfer-solutions.com/IdP/SSO.aspx"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2019-08-15T08:06:28.645Z" NotOnOrAfter="2019-08-15T08:16:28.645Z"><saml2:AudienceRestriction><saml2:Audience>https://development.outsystems.transfer-solutions.com/IdP/SSO.aspx</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2019-08-15T05:56:51.539Z" SessionIndex="id_t20_f41470aa743c4314ae9de59b49732602"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Marlies</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Quaadgras</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">marlies.quaadgras@transfer-solutions.com</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="Administrator" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Administrator</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="Employee" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Employee</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>




Yeah... That's not very useful... ??

Sorry. Can't help more for now. I'm without a computer until Saturday. 

If no one can help you until there, I can try again. 

Cheers 

This is how i defined the claims now :

Thanks Eduardo so far!

Hi,

I'm not too aware on how groups are assigned / configured in Okta side of things, but from your SAML message example we can see the assigned groups are sent as individual attributes instead of list of attribute values. 

You would need to set up groups to be sent inside one attribute statement with multiple attribute values, eg:

<Attribute Name="http://schemas.xmlsoap.org/claims/Group" ... >
    <AttributeValue ... >Administrator</AttributeValue>
    <AttributeValue ... >Employee</AttributeValue>
</Attribute>

Quick spy on Okta documentation (https://help.okta.com/en/prod/Content/Topics/Apps/attribute-statements-saml.htm) gives me a hint that you might need to create a custom SAML attribute to list the assigned groups for user to achieve this.

In IdP config, you would then use the attribute name ("http://schemas.xmlsoap.org/claims/Group" in my example) in the configuration text box for "Groups". Attribute name can of course be anything, but it has to match on both sides of configuration.