Overview
When configuring an Okta Workforce connection and selecting User Mapping , the Use a template option with Okta basic is chosen from the dropdown defines this template:
{
"mapping_mode": "use_map",
"userinfo_scope": "openid email profile groups",
"attributes": {
"name": "${context.tokenset.name}",
"email": "${context.tokenset.email}",
"username": "${context.tokenset.preferred_username}",
"federated_groups": "${context.userinfo.groups}",
"federated_locale": "${context.userinfo.locale}",
"federated_zoneinfo": "${context.userinfo.zoneinfo}"
}
}
When the user logs in with that connection, if any of these attributes are missing from the ID token sent by Okta, the following warning (w) will be logged on the tenant logs, enumerating the number of keys missing:
Error transforming template due to missing keys (1) from IdP context
Applies To
- Okta Workforce Connection
- warning: “Error transforming template due to missing keys (1) from IdP context”
- context.userinfo.groups
Cause
The groups claim is missing from the Okta ID Token. The Auth0 User Mapping template expects name , email , preferred_username , groups , locale , and zoneinfo. To add the groups value to the ID Token, configure it as an optional setting on the application’s Sign On tab on the Okta side.
Solution
To set the groups claim filter:
- Go to the Sign On tab and scroll down to the OpenID Connect ID Token section.
- Select the Groups claim type. Either select a Filter for existing group claims or choose an Expression to create a custom filter on a different group claim.
Complete instructions can be found in the following Okta documentation: Set the groups claim filter
