Saml integrations with Okta
Has anyone ever mapped the remove roles assertion mapping from Okta. We are trying to map removing multiple roles if they have one role. EX if they are a customer we remove Employee and partner. Also...
Forum Discussion
Yep - more of a workaround than a fix though as it doesnt remove using assertion mapping.
use okta groups to manage adding the roles by assertion.
then use workflows to remove the role from the user when theyre removed from the okta group or added to a "remove X role group"
you can then use okta group rules to manage which users need to have what role removed and let workflows handle the work - be careful to watch the rate-limits. 🙂
Workflows is an 'extra' with Okta - but you can run five workflows without paying more (plenty for what you're wanting to do)
I'll come back in a bit with screenshots if needed.
Hi MorganBB
I've read some of your other posts on this topic. Would it be possible to either get screen shots of your Okta workflows configuration or an extract? I'm a coworker of tavasjn24 and we're trying to solve the role removal problem and I'd be very interested in how your workflows function.
Our last attempt was to enable Integration on the Okta app even though Khoros doesn't support it. That gave the ability to put an Okta expression into the mapping for an app attribute named removeRolesKhoros like this:
user.User_Type == "employee" ? "customer,partner" : user.User_Type == "partner" ? "employee,customer" : user.User_Type == "customer" ? "employee,partner": ""
That app attribute is then mapped on the SAML assertion to appuser.removeRolesKhoros
The problem is the mapping triggers when User_Type changes on a user Okta profile but Okta only displays a message that it hasn't been applied yet when the change happens. Only applying the mapping on that single user or pushing Force Sync on the app gets it to apply. 😞
Again any screen shots or the workflow configuration you can share would be a huge help.
Thanks
