Example: Setting up custom mapping for Okta
PreviousExamples: Setting up custom mapping for IdPsNextExample: Setting up custom mapping for Entra ID
Last updated
Last updated
More information
Snyk privacy policy© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.
The following shows two different options for custom mapping of Okta roles, using Legacy custom mapping.
For both of these options to work, the Snyk SSO application must be assigned at the group level, not the user level.
In this configuration:
Okta groups are mapped to Snyk Organizations.
Okta groups are mapped to Snyk Organization membership roles.
The user role in Snyk is pre-set in each Okta group for all members of that group.
The steps follow.
Note: The Snyk SSO application must be assigned at the group level, not the user level.
When you look at a user's Application assignment it should look similar to the image that follows, with set by Snyk-Roles group following Add Another grayed out.
On the main page of Okta, select Directory -> Profile Editor -> your Snyk SSO app.
Select +Add Attribute.
In the corresponding fields, add the following details for this Attribute: Data type: string array Display name: Snyk Orgs Variable name: snyk_orgs Group Priority: Combine values across groups
When you are finished select Save.
On the main page of Okta select Directory -> Groups.
Select a Group, navigate to the Applications tab, click Assign application if not already assigned, and choose your Snyk SSO app,. Then click on the pencil next to the displayed Snyk SSO app.
In the Edit App Assignment dialog, add the Snyk Organization slug, and the Organization role name associated with your Okta group (no spaces or capital letters), following the syntax explained in custom mapping (or see legacy custom mapping if you are using that option).
Repeat the preceding steps for all your applicable Okta groups to assign the org name and role combination to each user within each configured group.
Navigate to Applications -> Applications and click on the Snyk app you configured.
Select General Tab -> Edit SAML Settings and click next to go to the Configure SAML step.
Add an Attribute Statement named “roles” of an unspecified type.
Select Attribute Statements and set roles as the Name field with Name format Unspecified and the Value in the following expression:
Arrays.flatten(appuser.snyk_orgs)
Reach out to your Snyk point of contact so they can complete the configuration.
The following describes Custom Mapping with user roles.
These instructions show how to map roles using the legacy custom mapping option. To use Custom mapping, option 1 is recommended. Reach out to your Snyk point of contact if you have any questions
Okta groups are mapped to Snyk Organizations.
User profiles are tied to each user, not the Okta group.
Note: The Snyk SSO application must be assigned at the group level, not the user level.
When you look at a user's Application assignment it should look similar to the image that follows, with set by Snyk-Roles group following Add Another grayed out.
When your Snyk Groups and users have been set up, follow these steps:
On the main page of Okta select Directory -> Profile Editor -> your Snyk SSO app.
Select +Add Attribute.
In the corresponding fields, add the following details for the first Attribute: Data type: string array Display name: Snyk Orgs Variable name: snyk_orgs Group Priority: Combine values across groups
When you are finished, select Save and Add Another.
In the corresponding fields, add the following details for the second Attribute: Data type: String Display name: Snyk User Role Variable name: user_role Enum: Check Define enumerated list of values Attribute members Collaborator: collaborator or collab Attribute members Admin: administrator or admin Attribute members GroupAdmin: groupadmin Attribute required: Yes Scope: User personal
When you are finished, select Save.
On the main page of Okta select Directory -> Groups.
Select a Group, navigate to the Applications tab, click Assign application if not already assigned, and choose your Snyk SSO app. Then click on the pencil next to the displayed Snyk app.
In Edit App Assignment dialog, add the Snyk Organization name to associate with your Okta group (no spaces or capital letter(s)).
Repeat the preceding steps to assign the Snyk app to all your applicable Okta groups, modifying the Snyk Organization name as needed.
On the main page of Okta select Directory -> People.
Select a User, navigate to the Applications tab, and click on the pencil next to the application.
Select the right user type in group (user role): Collaborator, Admin, or Group Admin.
Navigate to Applications -> Applications and click on the Snyk app you configured.
Select General Tab -> SAML Settings -> Edit and click next to go to the Configure SAML step.
Select Attribute Statements and add an attribute named roles with Name format Unspecified and the Value in the following expression:
appuser.user_role == "groupadmin" ? "snyk-groupadmin" : Arrays.flatten(String.replace(String.replace(String.append("snyk-",String.append(Arrays.toCsvString(appuser.snyk_orgs),"-"+appuser.user_role)),",",",snyk-"),",","-"+appuser.user_role+","))
Click Next -> Finish.
Reach out to your Snyk point of contact so they can complete the configuration. This process may take four to five days.
The following explains the roles expression:
If the role is groupadmin, the expression ignores everything else and passes snyk-groupadmin.
If the role is not groupadmin, then for each Snyk Org name listed across all Groups, the expression automatically concatenates the prefix “snyk-” with the Snyk Org name and appends user_role at the end of each Organization name. An example result follows.
Example roles are:[ "snyk-groupadmin", "snyk-org1-admin", "snyk-org2-admin" ]
