Skip to main content

Use Active Directory Synced Groups in Okta Identity Engine for Privilege Elevation

Using Active Directory Groups synced to Okta for privilege elevation where we want to allow only specific groups to elevate privileges.

Updated over a week ago

Description

Okta created groups differ from Active Directory groups so normal expressions and filters won't work. The steps below provide an expression group claim that can be used.

Setting Up Group Claims for Active Directory Synced Groups in Okta Identity Engine

  1. Navigate to your Okta Identity Engine tenant and go to the admin site.

  2. Go to Applications > Jamf Connect App > Sign On tab.

  3. Select OpenID Connect ID Token and click Edit.

  4. In this setting, we can create a groups claim to get a specific group to grab in the ID token for privilege elevation.

    1. For "Groups claim type" enter: Expression

    2. For "Groups claim filter" enter groups followed by:
      Groups.startsWith("active_directory","NAMEOFGROUPHERE",100)

  5. Test the privilege elevation setup and confirm that the user is apart of the group and can elevate.

More Resources

Additional information on privilege elevation can be found in the links below depending on what version/software you are using.

Related Articles
Deploying Privilege Elevation Settings From Jamf Connect
Did this answer your question?