I am trying to map group claim values in Okta (using OIDC), without using Custom Authorization Servers. Specifically, I try to map the groups claim values using the Groups claim expression (Sign on -> OpenId Connect ID Token -> use "Expression" as Groups claim type). Is it possible to use this Groups claim expression to map the names of groups that the user is member of?
Example If a user is a member of group "A", the token should include claims "abc" and "xyz" in the groups claim, and if he is a member of group "B" as well, claim "def" should also be added to the groups claim.
What I tried I have tried mapping the groups claims using ternary expressions to substitute group claims for different group claims, but no claim value at all was passed through in the groups claim. Is it possible to use ternary expressions in the Groups claim expression?
So far I tried Groups.contains("appId", "B", 100) ? "abc" : "def", and other group functions described at https://developer.okta.com/docs/reference/okta-expression-language/. I also tried combining this with Arrays methods as shown at https://support.okta.com/help/s/article/How-to-Write-a-Groups-Claim-Expression-that-Will-Match-Against-Two-Differently-Named-Groups?language=en_US. However, in all tryouts so far no claim value was passed through.
We got it working. The final mapping is:
Arrays.flatten(
Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("appVariableName","B",100))) ? {} : {"def"},
Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("appVariableName","A",100))) ? {} : {"abc", "xyz"}
)
Key points: