Skip to main content

SAML Provisioning with Okta: Tips for setting user attributes

Yuval Papish
Updated

In addition to allowing your existing Cloudinary users to log in via Okta, you can use Cloudinary's SAML provisioning feature to automatically create or update user accounts by passing their metadata from your IdP during the login process.

One area which requires special consideration is how to transform and map user attributes from your IdP, e.g. if your IdP's "CloudinaryMarketingUsers" group should become the "Marketing" user group in Cloudinary. Another consideration is how to map attributes which may have multiple values when granting users access to multiple user groups or multiple sub-accounts, where the relevant properties use a String Array data type.

Here's an example of a working Okta configuration which performs both a mapping from an IdP user field to a Cloudinary user property, and which includes properties with values that are represented as Arrays:

OKTA_String_Array.png

 

Transforming and Mapping attributes

Okta's Expression Language is used in the Profile editor (and not in the SAML Settings) when creating attributes for your Cloudinary App. An example of where you can use this within the profile editor would be when mapping attributes on the "Okta User to Cloudinary mapping" screen.

For mapping values for the Cloudinary app, you most likely will use the appuser prefix, e.g.: appuser.cloudinaryRole (rather than prefixes like a user, app, and idpuser).

 

SAML String Array

A SAML String Array is an array of strings. It cannot hold a null or an empty string. The assertion attribute should include a single attributeValue tag for each value of the attributes.

By default, OKTA will concatenate the multiple values of a `string array` into a single string of comma-separated values. If it's not already present on your account, please ask Okta support to turn on the SAML_SUPPORT_ARRAY_ATTRIBUTES flag. This ensures that `string array` types are returned as multiple values.

You can then use an expression to map the properties from the Okta user profile to the equivalent details which are sent to Cloudinary to create or update the user details. You also need to ensure that no empty strings or other default values are sent, and one way to do this is by following this pattern using Arrays.flatten():

Arrays.flatten( 
  Arrays.remove( {isMemberOfGroupName("cloudinaryGroupX") ? "GroupX" : NULL }, NULL),
  Arrays.remove( {isMemberOfGroupName("cloudinaryGroupY") ? "GroupX" : NULL }, NULL),
... )

 

Related articles

Comments

0 comments

Please sign in to leave a comment.