Add a Groups claim with a dynamic whitelist
You can use Okta Expression Language Group Functions with dynamic whitelists. Three Group functions help you use dynamic group whitelists: contains, startsWith, and endsWith. These functions return all of the Groups that match the specified criteria without needing to have Groups specified in the app.
You can use this function anywhere to get a list of Groups of which the current user is a member, including both User Groups and App Groups that originate from sources outside of Okta, such as from Active Directory and Workday. Additionally, you can use this combined, custom-formatted list for customizable claims into access and ID tokens that drive authorization flows. All three functions have the same parameters:
| Parameter | Description | Nullable | Example Values |
|---|---|---|---|
| app | Application type or App ID | FALSE | "OKTA","0oa13c5hnZFqZsoS00g4", "active_directory" |
| pattern | Search term | FALSE | "Eastern-Region", "Eastern", "-Region" |
| limit | Maximum number of Groups returned. Must be a valid EL expression and evaluate to a value between 1 to 100. | FALSE | 1, 50, 100 |
Important: When you use
Groups.startWith,Groups.endsWith, orGroups.contains, thepatternargument is matched and populated on thenameattribute rather than the group's email (for example, when using G Suite). If you are targeting groups that may have duplicate group names (such as Google Groups), use thegetFilteredGroupsGroup function instead.Example:
getFilteredGroups({"00gml2xHE3RYRx7cM0g3"}, "group.name", 40) )See the Parameter Examples section of Use group functions for static group whitelists for more information on the parameters used in this Group function.
You can use a dynamic group whitelist with both the Okta Org Authorization Server and a Custom Authorization Server: