在Okta中与用户相关联的获取组列表 [英] Getting list of groups user is associated with in Okta

问题描述

我试图通过在我的网站中将SAML 2.0实施为服务提供商(SP)和Okta env来与Okta SSO集成.作为我的身份提供者(IDP) 我不明白如何配置IDP以针对每个Auth请求(用户所在的组)返回.该怎么办?

I'm trying to integrate with Okta SSO by implementing SAML 2.0 in my website as Service Provider (SP) and Okta env. as my Identity Provider (IDP) I can't understand how to configure my IDP to return for each Auth request, the groups a user is in. How can it be done?

此外，是否有可能在我的IDP中拥有一个服务帐户，以便我的后端可以直接向IDP询问用户是否在某个特定组内?

Also, Is it possible to have service account in my IDP that my backend can ask the IDP directly if a user is inside some specific group?

推荐答案

通过在Okta管理控制台中正确配置SP App，可以将组添加到SAMLResponse. 为了对现有应用程序执行此操作，请转到管理"面板并编辑SAML设置以包含Group attribute statements. 例如，如果要向SP显示所有包含单词admin的组，请添加一个具有适当名称的字段(即组)，并指定一个值为.*admin.*的regex过滤器.

It is possible to add groups to the SAMLResponse by configuring the SP App in the Okta admin dashboard correctly. In order to do it for an existing app, Go to Admin panel and edit the SAML settings to include a Group attribute statements. For instance, If you want to expose all groups containing the word admin to your SP, add a field with a proper name (i.e groups) and specify a regex filter with value .*admin.*.

正确配置后，SAMLResponse将包含以下节点:

The SAMLResponse will contain the following node after configuring correctly:

<saml2p:Response 
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
    ......
    ......
    <saml2p:Status 
        xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode 
            Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion 
        ......
        ......
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
        <saml2:AttributeStatement 
            xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:Attribute 
                Name="groups" 
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue 
                    xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">admins_group_1
                </saml2:AttributeValue>
                <saml2:AttributeValue 
                    xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:string">it_admins
                </saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

请注意，无论是Okta组，AD组等，组都将包含所有包含词admin的组.

Note that groups will contain all groups containing the word admin, no matter if its an Okta group, AD group etc..

这篇关于在Okta中与用户相关联的获取组列表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！