How do you map groups from OneLogin to groups defined in Authorization Extension?

I’m having issues mapping groups in OneLogin to groups defined in Authorization Extension (AE). My user is in group Bad in OneLogin. I configured group mapping for group Bad Auth0 in AE to associate with users in group Bad coming through the OneLogin connection. Groups, Roles, Permissions passthrough are all enabled in AE Configurations. I’m able to log in with that OneLogin user via a Single Page Application client used by my app. I can see the user profile, but both the authorization.groups field and the app_metadata.authorization.groups field are empty.


  1. How do I know if OneLogin is sending the groups information? Is there a way to debug what OneLogin is sending Auth0 during a login?
  2. How does Auth0 map OneLogin groups to AE groups? What field does it use?