Description
If Okta Groups Claim filter is configured to matches regex .*, Jamf Connect returns NSSingle0bjectArray in the ID token output.
"groups": <_NSSingle0bjectArrayI0x7fcbf5f61350>( Everyone )
This filter only pulls in Okta only groups which is outlined in step 6 of Add Group Claims to OIDC Identity tokens.
Confirming Values Passed in the ID Token
To confirm which values are being passed in the ID token, OIDCIDTokenPath
can be added to the Jamf Connect login profile.
<key>OIDCIDTokenPath</key>
<string>/tmp/token</string>
Once OIDCIDTokenPath is added, perform a fresh Jamf Connect login and retrieve the token file from the /tmp directory.
Pulling Okta and Active Directory Groups
To ensure that the ID token retrieves both Okta groups and Active Directory groups, set group claim filter to:
Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("active_directory","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("active_directory","",100))