Our organization uses OKTA and OKTA Preview for testing no in house custom auth server.
We have been using saml without issue and wanted to get openid to work as well.
So using the same OKTA service we created another app integration with openid as a web app.
We used okta preview to test the concept and it worked and returned the needed claims using Scope = new List { “openid”, “profile”, “email”, “groups” }. The group claims in our case are any AD groups the user is assigned to for the application.
When we switched to okta production and mirrored the same settings we get authenticated just fine, we get the user claim data such as email and name etc but the group claims are not returned. I have spent the whole day trying to get it to work without any luck. What possible settings could okta preview have or okta prod not have? Thank you for any insights. Is it a security policy for openid tokens? as mentioned before the OKTA production site returns the groups claims using saml but not openid and okta preview does as well.
Got it to work. Changing the group filter frpm Filter to expression.
Groups.startsWith(“active_directory”,“”,100)
Instead of Match regex with .*
But in okta preview the Match regex works…