Problem statement
We are trying to add Okta Entreprise SSO on our tenants and would like to set the Okta groups as an Auth0 users’ attribute. For Google Workspace SSO, we can choose “Include Groups”, but this is not the case here. Is there something to do to retrieve these groups?
Symptoms
We are not seeing any group information in users’ profiles/tokens.
Cause
The Okta Workforce connection only supports the basic profile and ignores other claims.
Solution
The simpler option is to use SAML instead:
You can follow the instructions here to set up Auth0 as a SAML SP to Okta:
You can then specify that groups will be passed in the response when on Step 2 of the SAML Integration Wizard in Okta, to send all groups you can use the regex:
.*
Auth0 will then automatically add this attribute to the user’s profile, which can be pulled into metadata with rules and/or added to claims.
A potential alternative workaround would be to make a separate call to Okta’s userinfo endpoint with the access token Auth0 has stored for them in the user profile. Okta would also need to be configured to add the group claim to the ID Token:
- Identity Provider Access Tokens
- Customize tokens returned from Okta with a Groups claim | Okta Developer
This could be done by a secure backend on the customer’s side, or within an Auth0 Action that can use the Management API to retrieve the user’s Okta Access token - however, due to the rate limits on the Management API we would recommend limiting when this is carried out - calling the Management API for every login does not scale well due to its rate limits being much lower than the Authentication API:
- Identity Provider Access Tokens
- How can I use the Management API in Actions?
- Management API Endpoint Rate Limits
Due to these limitations, and the coding effort required, we recommend the SAML approach mentioned earlier over this second alternative.