I'm working with Okta again and ran into an interesting situation. I'm hesitant to call it an issue since the solution was available, but finding the solution was more difficult than I expected, in part because I was new to this type of configuration.
I felt a succinct guide to Okta Groups Claim mapping might help someone else. Below are the steps that helped me the most.
Getting Started: What is the Groups Claim in Okta?
We will be using the term "Groups Claim" quite often in this guide, so let's start out by defining what it is and the details on how it is configured by default in Okta.
The Groups Claim is a claim that can be optionally configured to be added to an ID Token (OpenID Connect ID Token). When added, it will list all of the Okta Groups that a user is assigned. Additionally, the list of groups can be filtered by Regex or Okta Expressions.
It can be found by:
Logging into your Okta Tenant
Navigating to the Admin Dashboard
Clicking Applications > Applications
Selecting the application from the list
Clicking on the Sign On Tab
Scroll down to the OpenID Connect ID Token section
Customizing: How Can We Customize the Groups Claim?
So, we've established what a Groups Claim is. Now, let's move on to the ways we can customize it (TLDR; not many!).
There are 3 options available for customizing your Groups Claim:
Issuer
Groups claim type
Filter:
Filter ONLY OKTA GROUPS associated with the user. Using the "Filter" will only apply to Okta groups. If you are looking to apply Application or AD groups this option will not work.
Expression:
Expressions apply to ALL GROUP TYPES, including Okta groups. This is the best option to start with, given the limitations of the "Filter" option.
You must use the Okta Expression syntax when using this option.
Groups claim expression
The functionality of this will change depending on if you choose "Filter" or "Expression".
Filtering: How Do I Filter Groups From My Groups Claim?
This is the question I set out to provide an easy answer to. The TLDR is "It Depends"!
The method you use to filter your Okta Groups Claim will depend on the type of group you are trying to map to your claim. The matrix below will help you decide which methodology you need to use.
Okta Group Types
Group Type | Definition |
Okta Groups | The groups created directly within Okta itself. These can be managed by accessing the Directory > Groups page. |
Active Directory Groups | Groups created via the Okta Active Directory integration. Please note, these are not Azure AD or Azure Entra ID groups. |
LDAP Groups | Groups created via an LDAP integration within Okta. |
Application Groups | Groups created and associated to an Application within Okta. These groups include Azure AD/Azure Entra ID groups. |
Supported Claim Types Filters by Group Type
Group Type | Supported Claim Types |
Okta Groups | Filter, Expression |
Active Directory Groups | Expression |
LDAP Groups | Expression |
Application Groups | Expression |
Troubleshooting Tip: Why Don't I See My Groups After Mapping?
If you have set up your Groups Claims mapping and still aren't seeing groups mapped to your token, check the following:
Are you trying to use a Filter on a group that is not an Okta group?
This is unsupported. Switch to using an Expression.
Have you validated that the scope you've applied to your Group Expression is correct?
The first parameter in a group expression tells Okta where to look for that group; in Okta, In AD, LDAP, or within an Application. In the case of Application Groups, you need to ensure you are using the ID of the group and not the name.