Map SAML Attribute to Realm Role
Typically, a user contains a set of roles within the Nintex system:
/Installation and Upgrade_143.png)
On the Okta platform, users and roles are managed via OKTA user groups:
/Installation and Upgrade_144.png)
We need to instruct Aerobase how to handle user roles being sent from the OKTA within 'Group SAML attributes' as previously described in Adding Group SAML Attributes to OKTA SAML Token. We need to create a map between OKTA user groups and Nintex user roles via an Aerobase identity provider mappers mechanism.
We should define a separate mapper per each group as described below.
Define a Separate Mapper per Group
To define a separate mapper for each group:
You need to create mapper per each user group.
-
Access the Aerobase Admin page, using the URL http://[FQDN or IP]/auth/admin/Kryon/console/#/realms/Kryon
-
Go to Identity Providers (under Configure on the left pane)
-
Enter your Okta provider and choose the Mappers tab
/Installation and Upgrade_145.png)
-
Click Create
-
Fill out the details:
/Installation and Upgrade_146.png)
/Installation and Upgrade_147.png)
-
Name: arbitrary, for example 'SAML Role 1'
-
Mapper Type: choose 'SAML Attribute to Role'
-
Attribute Name: type group SAML attribute name as was configured on OKTA side
-
Friendly Name: leave empty
-
Attribute Value: name of the OKTA group to be mapped to a role
-
Role: select Nintex realm user role to map to
-
-
Click Save
As a result you should get the following mappings list - one SAML mapping per OKTA group:
/Installation and Upgrade_148.png)