Adding Group SAML Attributes to OKTA SAML Token

Once Aerobase and Okta SAML provider are properly integrated, you may want to add a Group SAML attribute. This is the bridge between Aerobase and OKTA to send user roles data. Once configured, the SAML response (which is sent back to the Aerobase with user login workflow) will contain the following information:

Copy 
<saml2:AttributeStatement>
    <saml2:Attribute Name="group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin-permissions</saml2:AttributeValue>
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin-license</saml2:AttributeValue>
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">studio-developer</saml2:AttributeValue>
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin-catalog</saml2:AttributeValue>
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin-access</saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>

This information will be handled by Aerobase and converted to the user roles based on the instructions described in Map SAML Attribute to Realm Role:

  • Attribute Name = “group”. Is configured based on current document instructions

  • Attribute Values = a collection of OKTA user groups user being logged in is member of. Each user group represents a particular user role in Nintex system

Adding a Group SAML Attribute

To add an attribute:

  1. Sign in to your Okta application and go to the Admin Console Groups dashboard

  2. Under Directory in the Admin Console, select Groups

  3. Click Add Group

  4. Navigate to the Admin Console and select Applications

  5. Enter the SAML application that you would like to add an attribute to

  6. Click the General tab

  7. Click on the Edit button on the right side of SAML Settings

  8. Click Next until you get to GROUP ATTRIBUTE STATEMENTS (OPTIONAL)

  9. Fill in the empty fields, or here you have the option to add groups to SAML attributes with Add Another 

  10. If you need to add all groups, that the user belongs to, to SAML attributes choose "Matches regex" and use regex "*"

  11. Click Next until you reach the option to Finish to complete the process