Dynamic SAML Attributes

When you create a new SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. — or modify an existing one — you can define custom SAML Attribute Statements to share user profile information between Okta and your app.

Each Attribute Statement inside the shared SAML Assertion has these elements:

  • Name - the reference name of the attribute needed by the app. The maximum length for this field is 512 characters.
  • Name Format - the format in which the Name attribute is given to the app. In SAML 2.0, the formats are:
    • Unspecified - can be any format defined by the Okta profile and must be interpreted by the app
    • URI Reference - the name is provided as a Uniform Resource Identifier string
    • Basic - a simple string; default if no other format is specified
  • Value - the value for the attribute defined by the Name element. The maximum length for this field is 1024 characters.



In a SAML Assertion, the Name attribute must be unique across all of the user and group attribute statements.

Attribute Statements

In the Attribute Statements (optional) section:

  1. Enter the Name of the attribute in the SAML app.
  2. Select a Name Format.
  3. Choose or type a Value within the Okta user profile. Admins may create custom expressions (using Okta EL) to reference values in the Okta user profile. For details on creating custom expressions, see Okta Expression Language.
  4. Click Add Another to add an additional statement row.
  5. Repeat until all necessary attributes are defined.

Group Attribute Statements

Group Attribute Statements can also be provided in the SAML assertion. Using group attribute statements enables you to specify what groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. in the Okta profile should be shared with your app.

In the Group Attribute Statements (optional) section:

  1. Enter the Name of the group attribute in the SAML app.
  2. Select a Name Format.
  3. Choose a filtering option for your expression: Starts with, Equals, Contains, or Matches regex.
  4. Type in the expression that will be used to match against the Okta GroupName values and added to the SAML assertion.
  5. Click Add Another to add an additional group statement row.
  6. Repeat until all necessary groups are defined.

Preview SAML

Click Preview SAML to view the generated SAML Assertion that will be shared between Okta and the SAML application.