Skip to main content

Okta Groups Claim Returns NSSingle0bjectArray

Updated over 2 weeks ago

Description

If Okta Groups Claim filter is configured to matches regex .*, Jamf Connect returns NSSingle0bjectArray in the ID token output.

"groups": <_NSSingle0bjectArrayI0x7fcbf5f61350>( Everyone )

This filter only pulls in Okta only groups which is outlined in step 6 of Add Group Claims to OIDC Identity tokens.

Confirming Values Passed in the ID Token

To confirm which values are being passed in the ID token, OIDCIDTokenPath can be added to the Jamf Connect login profile.

<key>OIDCIDTokenPath</key>
<string>/tmp/token</string>

Once OIDCIDTokenPath is added, perform a fresh Jamf Connect login and retrieve the token file from the /tmp directory.

Pulling Okta and Active Directory Groups

To ensure that the ID token retrieves both Okta groups and Active Directory groups, set group claim filter to:

Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("active_directory","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("active_directory","",100))

Did this answer your question?