Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
using the diagnose claim link: /api/v1/diagnose-claims I do not see the group claim under mapped claims. is this a configuration issue with Okta? What are some troubleshooting steps?
It could be on either side. In the diagnose-claims endpoint, you will see two sections: claimsFromIdp and mappedClaims. The claimsFromIdp section will enumerate the information sent from the Identity Provider. The mappedClaims section will enumerate how the Tenant is configured to inteprete these claims. Let's take an example from a tenant of mine:
{
<... truncated these details ...>
},
"claimSource": "id-token",
"claimsFromIdp": {
<... truncated these details ...>
"groups": [
"Domain Admins",
"Domain Users",
"Qlik Sense Tenant Admins",
"Qlik Users",
"Enterprise Architects",
"Presales"
],
<... truncated these details ...>
"winaccountname": "QLIK-POC\\ltu",
<... truncated these details ...>
},
"mappedClaims": {
"sub": "QLIK-POC\\ltu",
<... truncated these details ...>
"groups": [
"Domain Admins",
"Domain Users",
"Qlik Sense Tenant Admins",
"Qlik Users",
"Enterprise Architects",
"Presales"
],
<... truncated these details ...>
}
}
For this example, we have two claims from the IDP: winaccountname and groups. My Qlik config is as so:
So in this example, I am telling Qlik to consume the claim named groups and map it to the user's groups. For the claim winaccountname, I am telling Qlik to map it to the user's sub (or subject).
Back to your question. If you don't see the groups in the claimsFromIdp section, Okta isn't sending this information. If you are seeing this information in the claimsFromIdp section, then configure the IDP in Qlik to map to the name of the claim from the IDP.
@Levi_Turner we managed to get the group claims coming through. The key for us was calling out the group in the advanced section scope per this comment on the original article: "we found another piece that may be missing. For us, we needed to expand the Advanced Options on the Qlik setup and add "groups" into the scope even though we mapped it correctly in the claims section. Without this we weren't pulling in any groups through Okta to our tenant."
Is it abnormal to need to call it out in the scope? Wondering what the driver is here and why it's not called out in the main article.
Thanks,
Mike
It looks like Okta requires that scope to retrieve that information (ref https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#request-an-id-token-that-...) although I am sure there is variability / configurability on the Okta side. It's a fair point to call this out about the docs, I'll see about pinging the individuals who own them to see about updating them.