Hello All,
We currently have OKTA SSO working on a DMS for users that belong to a couple domain groups (Local groups created with identical names as the domain group within the AD). Those users are able to authenticate into cube and webapps using OKTA external authentication without issue.
Recently, we have tried creating a new local group within cube for additional users to begin logging into the system and they are encountering the following error:
What does "No groups found in SAML response" indicate?
When moving those new users within the AD, from the group they should belong, and into the group that has been working for other users, they can authenticate. Leading us to believe there is either a group/user configuration issue on the OKTA side, or DataMiner is not handling the addition of new groups appropriately.
Within DataMiner, the externalAuth config has not changed and the new local groups are being created the same way as the other working groups.
Note: Group claims are set to true within the ExternalAuth config.
Thanks in advance!
Hi Thomas,
"No groups found in SAML response" means that Dataminer cannot find a group claim with, in this case, "userGroups" as it's name in the info that Okta sends to Dataminer.
you can see this for yourself with Client Test Tool by checking the "Debug SAML" box when logging in:
After logging in in the SAML window like normal, a new window should open with SAML Response as its title, on the left the translated response XML will be visible, in the XML, in the attribute statements there should be a tag with <saml2:Attribute Name="userGroups" ...>, if this is not the case, that is your problem
If the users and groups come from an AD and are imported to Okta in some way it might be worth checking if the user directory in Okta itself shows the users as belonging to the correct groups there as well
Hello Michiel, thank for the response! I can confirm the OKTA side config was not fully setup for the new groups. All is working after addressing this.