Auth0 Home Blog Docs

Okta SAML pass along the Users groups

Hey Everyone

I have Okta set up as SAML connector with Auth0 and it all works great. I’ve decided I want to extend it to have Okta pass along which groups a user belongs to in Okta to Auth0, that way I can write a Auth0 rule to make decisions based on that information.

So I added this Okta:

Under: GROUP ATTRIBUTE STATEMENTS (OPTIONAL) I added a field ‘groups’ and set the regex to pull all user groups which contain the word WordPress.

But this data doesn’t seem to appear in the user object of the rule. There might be a gap in my knowledge about this. I’ve messed around with the Mappings tab in Edit SAMLP Identity Provider connection and also tried changing scopes.

I’d be grateful if someone could point me in the right direction.


Using an Okta test app I was able to see if the SAML was correct:

You can see the groups being passed down as an attribute but this doesn’t show in my user object in the auth0 rule.

So I added a simple test attribute which always contains the word hello, you can see it coming through in the SAML:

I then added a rule to Auth0

function (user, context, callback) {
  context.samlConfiguration = context.samlConfiguration || {};

  context.samlConfiguration.includeAttributeNameFormat = true;
  context.samlConfiguration.nameIdentifierFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified";
  context.samlConfiguration.mapUnknownClaimsAsIs = true;
  context.samlConfiguration.mappings = {
    "test": "user_metadata.test",

  callback(null, user, context);

But I still don’t see this data come through into the user object.

I used a simple PHP app to connect to Okta through SAML directly to see if I could get the attributes through which i was able to do:

It isn’t clear to me how I can get Auth0 to do this. If anyone could point me in the right direction that would be great. Thanks

It turns out you don’t need any rules. They do come through on their own however they don’t change when you log in meaning if you’ve used a user thats been created before you set up the attributes you won’t see them, also updates to those attributes don’t show either. You can trigger an update by visiting the Connections -> Enterprise -> SAMLP Identity Provider -> Click the play plugin.

Is there a way to get these to updated on every log in? Thanks

In Okta, find your application then General -> SAML Settings -> Edit -> Next

On the Configure SAML tab you will see an area called SAML Settings. There’s a section titled GROUP ATTRIBUTE STATEMENTS (OPTIONAL). In the Name field add groups, leave the Name format as Unspecified. In the Filter field set the dropdown to Matches regex and add .* in the field if you want all groups. You can filter the groups for example if you want every group with the word WordPress you would use .*WordPress.* Once ready click Next and Finish.

In Auth0, go your connection Connections -> Enterprise -> SAMLP Identity Provider -> Click the play plugin on your connection. This will trigger the user sign in and create the fields on the user. You can view the data in the Auth0 dashboard by finding the user: Users -> select User -> Identity Provider Attributes or you can debug a rule and output the user object. In this case it would user.groups which would contain the information you need.

Identity Provider Attributes only update when a new Auth0 session is needed, you can read more here: User Profile Identity Provider Attributes don't update once created

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.