Okta Workforce Entreprise SSO Groups

Problem statement

We are trying to add Okta Entreprise SSO on our tenants and would like to set the Okta groups as an Auth0 users’ attribute. For Google Workspace SSO, we can choose “Include Groups”, but this is not the case here. Is there something to do to retrieve these groups?


We are not seeing any group information in users’ profiles/tokens.


The Okta Workforce connection only supports the basic profile and ignores other claims.


The simpler option is to use SAML instead:

You can follow the instructions here to set up Auth0 as a SAML SP to Okta:

You can then specify that groups will be passed in the response when on Step 2 of the SAML Integration Wizard in Okta, to send all groups you can use the regex:


Auth0 will then automatically add this attribute to the user’s profile, which can be pulled into metadata with rules and/or added to claims.

A potential alternative workaround would be to make a separate call to Okta’s userinfo endpoint with the access token Auth0 has stored for them in the user profile. Okta would also need to be configured to add the group claim to the ID Token:

This could be done by a secure backend on the customer’s side, or within an Auth0 Action that can use the Management API to retrieve the user’s Okta Access token - however, due to the rate limits on the Management API we would recommend limiting when this is carried out - calling the Management API for every login does not scale well due to its rate limits being much lower than the Authentication API:

Due to these limitations, and the coding effort required, we recommend the SAML approach mentioned earlier over this second alternative.