Define attribute statements

These options appear in different places depending on which Okta features you've enabled:

  • If you've enabled the Early Access Entitlement SAML Assertions and OIDC Claims feature, this option appears when you edit your app integration. Open a SAML app, and then select the Sign On tab, or the Authentication tab if you've enabled the Identity Threat Protection feature. Click Edit in the SAML Attributes section, and then continue with the procedure.
  • If you haven't enabled the Early Access Entitlement SAML Assertions and OIDC Claims feature, this option appears when you create your app integration. Create a new SAML app, and then complete the fields shown in the procedure in the Attribute Statements (optional) section of the Create SAML Integration page.

Start this procedure

  1. Enter a Name for the attribute. Your app uses this name to reference this attribute. The maximum length for this field is 512 characters. The name must be unique across all user and group attribute statements.
  2. Select a Name format. This is the format of the Name attribute that's provided to your app.
    • Unspecified: This can be any format defined by the Okta profile. Your app must be able to interpret this format.
    • URI Reference: The name is provided as a Uniform Resource Identifier string.
    • Basic: A simple string. This is the default format.
  3. Enter a Value for the attribute defined by the Name element. Admins can create custom expressions (using Okta Expression Language) to reference values in the Okta user profile. The maximum length for this field is 1024 characters.
  4. Optional. Click Add Another to add a statement row, and then repeat steps 1–3 to define an attribute statement.

After you add your attribute statements and create your SAML integration, you need to update the profile using the Profile Editor.

The Dynamic SAML feature enables apps in the Okta Integration Network to process SAML attribute statements. Previously, the attribute statements were only available for apps created using the App Integration Wizard. This feature doesn't change how you enter attribute statements in Okta Expression Language or how the statements are processed.

Update a profile with attribute statements

  1. In the Admin Console, go to DirectoryProfile Editor.
  2. Find the integration that you created and click its name in the Profile column.
  3. Click Add Attribute.
  4. Complete the form with appropriate values for the attribute. Click Save to continue or Save and Add Another to create another attribute.
  5. In the Admin Console, go to ApplicationsApplications. Click the app name.
  6. Click the General tab. Then click Edit in the SAML Settings section.
  7. Click Next.
  8. In the Attribute Statements (Optional) section, enter the name of the attribute you created when you first added the attribute. This doesn't automatically populate the Value dropdown box. For the Value, enter appuser, a period, and the attribute name. For example, if your attribute is named NewRole, enter the value appuser.NewRole.
  9. Click Next, and then click Finish.
  10. On the Applications page, click the integration name, and then click the Assignments tab. Click Assign, and then select Assign to Groups. Assign the app to a group by clicking Assign to the right of the group. You can verify these assignments with a SAML tracer.
  11. Click Done.

Related topics

Application Integration Wizard SAML field reference

Create SAML app integrations

Generate federated claims