Okta Integration Team Membership in Claim


(Eelco Boer) #1

I have integrated Octopus into our Okta setup.
However it only seems to be possible to propagate User Roles through a claim.
Is it also possible to provide Team information in the claim?
So I want to translate an okta group to a octopus team.


(Lawrence Wilson) #3

Hi,
Thanks for getting in touch, I’m sorry for the delay in getting back to you on this one! I’m interested in knowing a bit more information about your Okta setup here. In your setup, are you defining your group memberships within Okta?

In Octopus and Okta integration, you would typically define your groups within Okta and these the Okta Authentication Provider within Octopus should extracting the group claims when they are passed in the id token. For more information on this, please check out our documentation on Okta Authentication Provider under Okta Group Integration

I look forward to hearing if this has been helpful!

Kind regards,
Lawrence.


(Eelco Boer) #4

Hi Lawrence,

Thanks for the reply :slight_smile:
Yes. I have setup a couple of groups in Okta that will grant permissions to the app. I am also passing along the group claims from Okta to Octopus. So In the JWT token i can clearly see which groups in Okta the user is member of. But in Octopus these groups seem to be mapped to Octopus User Roles.
It would be nice if they could be mapped to Octopus Teams, as we determine in the Octopus team to which projects a set of users has access to and which User role it has.

So if I understand the setup in Octopus correctly, the User role defines what kinds of things you are allowed to do, but the Team decides to which project and environment that applies.

At the moment all is working as I have the AD Security group membership also enabled. So people get assigned to a team based on the AD group. But i would rather solve this in Octopus, so I don’t need to manage the users in AD anymore.


(Lawrence Wilson) #5

Hi, Thanks for keeping in touch and I’m sorry for the delay here. I’m interested in hearing a little more information about where you’re seeing that your Okta groups are mapped to Octopus User roles. My understanding would be that they should normally not be linked.

Your understanding is absolutely correct here, an Octopus Role is simly a collection of different permissions that you can combine to perform a specific task. You can even define your own Custom Roles.

One piece of the puzzle that might be missing here could be for you to add the RoleID or GroupID from Okta into the External Groups and Roles section in Octopus. For the RoleID, use the id values you can see in the claims that are being passed through from Okta.

I hope this has been helpful! I look forward to hearing how this goes.

Kind regards,
Lawrence.