I ask because I setup an Okta Workforce connection and I select the User Mapping > Okta Default setting I see that groups are sent in the scopes and federated_groups shows up in the mapping be default:
However, even after the user authenticates through the Okta connection, we don’t see the federated_groups on the user in Auth0 (but we do see federated_locale and federated_zoneinfo).
I thought maybe the article meant that Okta isn’t sending the groups claim. I opened this question on their forum. Their response seems to indicate that Auth0 is dropping the groups on the floor not that Okta isn’t sending. I was hoping to confirm this.
Thanks @nik.baleca, I was able to save that configuration you listed. I am waiting to hear back from our partner to try the login connection again. I will let you know what comes of that.
As far as your other questions:
We have an Okta Workforce Enterprise connection setup
I don’t know how to tell if we are using a front_channel or a back_channel login
Since you are using Okta Workforce Enterprise connection and not an OIDC one, you do not have the option for front_channel or back_channel communication so you can disregard that.
Our partner was able to try this out last night. Unfortunately, it looks like it didn’t work and even regressed a little bit. We still don’t have the groups showing up on the user’s object after authenticating, but now we don’t have the federated_locale or federated_zoneinfo either.
Also, under the connection’s settings, do you have the following scopes set?
openid profile email groups
In the meantime, you can implement an OIDC enterprise connection instead of an Okta Workforce one and use the following settings:
Front channel communication with bind_all mapping method: this should map the groups as a string
Front channel communication with use_map mapping method: this should map the groups as an array
When setting up the connection metadata, for the issuer attributed you can try using /oauth2/default/.well-known/openid-configuration endpoint instead of the /oauth2/default/ if you are having issues with retrieving the groups.
I will come back with an update as soon as possible!
Thanks @nik.baleca. Yes, we have that mapping already set and the groups sent in the scopes.
I was hoping to avoid using a standard OIDC or SAML enterprise connection since the Okta Workforce connection doesn’t count against our quota for enterprise connections. I may still give this a shot, though, just to verify.
Keep me posted on anything else you all may find and/or other things I can try.
Sorry, I should have clarified – we have tried that mapping. It is very similar to the mapping we began with and caused us to report the issue. The only difference between the one you sent and the one we used was this extra line:
"groups": "${context.userinfo.groups}"
However, that appears to be just a duplicate of what we had:
Basically, you would need to go to the Okta application → Sign on tab → OIDC ID Token → Edit → Group Claims Filter → Use the name groups → Select Matches Regex → Type .*