Optionally, groups can be used to determine if a user should become a user with administrator rights on a local macOS account or to determine if a user is allowed to make additional user accounts on a device with the Admin Roles (OIDCAdmin) and Secondary Access Group (OIDCSecondaryAccess) respectively.
- Log in to the Okta Admin Console.
- Navigate to Applications.
- Select your Jamf Connect application.
- Navigate to OpenID Connect ID Token in the Sign in tab.
- Click Edit.
An OpenID Connect identity token can contain up to 100 groups. If your organization has users that belong to more than 100 groups, use Okta's filtering options.
- To send all Okta groups:
- Set Groups claim type to Filter.
- In the Group claims filter, set the name of the claim to groups. Set the filter type to Matches regex. Set the filter expression to .*.
- Click Save.
- To send all Okta and linked on-premises Active Directory groups:
- Set Groups claim type to Expression.
- In the Group claims filter, set the name of the claim to groups. Set the expression to
Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("active_directory","",100))) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("active_directory","",100)). - Click Save.
- In your Jamf Connect configuration, the OpenID Connect Scopes (
OIDCScopes) setting must be set to openid profile email groups. (Okta requires space delimiters in the scope request)
Your Okta OIDC configuration can now determine if a user should become a user with administrator rights on a local macOS account or to determine if a user is allowed to make additional user accounts on a device through Okta and Active Directory groups.
For more information about Okta Expression Language filters, see Group functions (okta Developer).