Follow the instructions below to configure Dispel and your identity provider to support OIDC group mapping.
Supported Identity Platforms
Microsoft Entra
Set up single sign on (SSO) for Dispel in the identity provider
In order to retrieve a user's group membership from the identity provider, the user must authenticate using single sign on using that identity provider. Refer to the articles below to set up single sign on in Microsoft Entra or Okta.
Setting up SSO with MS Entra
Setting up SSO with Okta (Coming soon!)
Configure the identity provider to return group claims
Group claims are lists of identity provider groups a user belongs to that are included in the authorization token returned by the identity provider when a user successfully authenticates. Group claims are not included in the authorization token by default, so additional configuration in the identity provider is required. Consult the instructions below to enable and configure group claims.
Microsoft Entra group claim configuration
Microsoft Entra group claim configuration
Configuring Microsoft Entra ID (formerly Azure AD) for OIDC group mapping involves setting up your application to read group claim and then configuring the application to interpret these claims for authorization purposes. Expand the sections below to see step by step configuration instructions.
Step 1: Configure Group Claims for the Application
Go to the Application Settings:
In the MS Entra application you registered for Dispel, go to “Token configuration.”
Add Group Claims:
Click “Add groups claim.”
Specify the types of groups to include in the token (e.g., “Security groups,” “Directory roles,” or “All groups”).
Choose whether to include group names, group IDs, or both, depending on your application’s needs.
Decide whether to include groups in the id_token, access_token, or both.
If your app is multi-tenant, please be sure to add a fallback for groups when the maximum limit of groups in a token is reached.
Save Changes: After setting the group claim options, click “Save.”
Step 2: Configure API Permissions
Go to API Permissions:
Under “API Permissions,” add required permissions for your application to read group information.
Add Microsoft Graph Permissions:
Click “Add a permission.”
Select “Microsoft Graph” as the API.
Under “Delegated permissions” or “Application permissions,” add permissions like Group.Read.All if your app requires direct access to read groups.
Grant Admin Consent: Once permissions are configured, click “Grant admin consent” for these permissions to avoid users individually consenting.
For detailed guidance, refer to Microsoft’s documentation on configuring group claims for applications.
Okta group claim configuration (Okta support coming soon!)
Okta group claim configuration (Okta support coming soon!)
To include group information in tokens issued by Okta, you can configure group claims in the Org Authorization Server. The Org Authorization Server is suitable for scenarios where you need to include group claims in ID tokens for Single Sign-On (SSO) purposes.
Step 1: Navigate to the Application in Okta
In the Okta Admin Console, go to Applications > Applications.
Select the OpenID Connect (OIDC) client application you want to configure.
Step 2: Configure the Group Claim:
Go to the Sign On tab and click Edit in the OpenID Connect ID Token section.
In the Group claim type section, choose either Filter or Expression:
Filter: Select this to include groups based on specific criteria. For example, to include all groups, set the filter to “Matches regex” and enter .*.
Expression: Use Okta Expression Language to define custom logic for including groups.
Click Save to apply the changes.
Step 3: Refresh Application Data
Return to the Applications list.
From the More button dropdown menu, select Refresh Application Data to ensure the changes take effect.
For detailed guidance, refer to Okta’s documentation on customizing tokens with a groups claim.