Skip to main content

Okta Groups Claim Returns NSSingle0bjectArray

Updated over 3 weeks ago

Description

If Okta Groups Claim filter is configured to matches regex .*, Jamf Connect returns NSSingle0bjectArray in the ID token output.

"groups": <_NSSingle0bjectArrayI0x7fcbf5f61350>( Everyone )

This filter only pulls in Okta only groups which is outlined in step 6 of Add Group Claims to OIDC Identity tokens.

Confirming Values Passed in the ID Token

To confirm which values are being passed in the ID token, OIDCIDTokenPath can be added to the Jamf Connect login profile.

<key>OIDCIDTokenPath</key>
<string>/tmp/token</string>

Once OIDCIDTokenPath is added, perform a fresh Jamf Connect login and retrieve the token file from the /tmp directory.

Pulling Okta and Active Directory Groups

To ensure that the ID token retrieves both Okta groups and Active Directory groups, set group claim filter to:

Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("active_directory","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("active_directory","",100))

Related Articles
Deploying Privilege Elevation Settings From Jamf Connect
Standardized Introduction Workflow for Jamf Connect Menu Bar
Standardized Introduction Workflow for Jamf Connect Login
Disable Okta MFA prompts (FIDO webauthn or Okta SMS) using MFAExcluded in Jamf Connect
Setting Up Jamf Account SSO with an Identity Provider
Did this answer your question?