<div style="pad: 0px; margin: 0px;">

<span style="vertical-align:middle;">Author: </span>

<a href="https://github.com/Emyrk" style="text-decoration: none; color: inherit; margin-bottom: 0px;">

<span style="vertical-align:middle;">Steven Masley</span>

<img src="https://avatars.githubusercontent.com/u/5446298?v=4" width="24px" height="24px" style="vertical-align:middle; margin: 0px;"/>

</a>

</div>

December 13, 2023

To configure custom claims in Okta to support syncing roles and groups with

Coder, you must first have setup an Okta application with

[OIDC working with Coder](https://coder.com/docs/v2/latest/admin/auth#openid-connect).

From here, we will add additional claims for Coder to use for syncing groups and

roles.

You may use a hybrid of the following approaches.

If the Coder roles & Coder groups can be inferred from

[Okta groups](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-about-groups.htm),

Okta has a simple way to send over the groups as a `claim` in the `id_token`

payload.

In Okta, go to the application “Sign On” settings page.

Applications > Select Application > General > Sign On

In the “OpenID Connect ID Token” section, turn on “Groups Claim Type” and set

the “Claim name” to `groups`. Optionally configure a filter for which groups to

be sent.


Configure Coder to use these claims for group sync. These claims are present in

the `id_token`. See all configuration options for group sync in the

[docs](https://coder.com/docs/v2/latest/admin/auth#group-sync-enterprise).

CODER_OIDC_SCOPES=openid,profile,email,groups

CODER_OIDC_GROUP_FIELD=groups

These groups can also be used to configure role syncing based on group

membership.

CODER_OIDC_SCOPES=openid,profile,email,groups

CODER_OIDC_USER_ROLE_FIELD=groups

CODER_OIDC_USER_ROLE_MAPPING='{"admin-group":["template-admin","user-admin"]}'

If roles or groups cannot be completely inferred from Okta group memberships,

another option is to source them from a user’s attributes. The user attribute

list can be found in “Directory > Profile Editor > User (default)”.

Coder can query an Okta profile for the application from the `/userinfo` OIDC

endpoint. To pass attributes to Coder, create the attribute in your application,

then add a mapping from the Okta profile to the application.

“Directory > Profile Editor > {Your Application} > Add Attribute”

Create the attribute for the roles, groups, or both. **Make sure the attribute

is of type `string array`.**


On the “Okta User to {Your Application}” tab, map a `roles` or `groups`

attribute you have configured to the application.


Configure using these new attributes in Coder.

CODER_OIDC_IGNORE_USERINFO=false

CODER_OIDC_SCOPES=openid,profile,email

CODER_OIDC_USER_ROLE_FIELD=approles

CODER_OIDC_USER_ROLE_MAPPING='{"admin-group":["template-admin","user-admin"]}'

Okta does not support setting custom scopes and claims in the default

authorization server used by your application. If you require this

functionality, you must create (or modify) an authorization server.

To see your custom authorization servers go to “Security > API”. Note the

`default` authorization server **is not the authorization server your app is

using.** You can configure this default authorization server, or create a new

one specifically for your application.

Authorization servers also give more refined controls over things such as

token/session lifetimes.


To get custom claims working, we should map them to a custom scope. Click the

authorization server you wish to use (likely just using the default).

Go to “Scopes”, and “Add Scope”. Feel free to create one for roles, groups, or

both.


Now create the claim to go with the said scope. Go to “Claims”, then “Add

Claim”. Make sure to select **ID Token** for the token type. The **Value**

expression is up to you based on where you are sourcing the role information.

Lastly, configure it to only be a claim with the requested scope. This is so if

other applications exist, we do not send them information they do not care

about.


Now we have a custom scope + claim configured under an authorization server, we

need to configure coder to use this.

CODER_OIDC_ISSUER_URL=https://dev-12222860.okta.com/oauth2/default

CODER_OIDC_SCOPES=openid,profile,email,roles

CODER_OIDC_USER_ROLE_FIELD=roles

CODER_OIDC_USER_ROLE_MAPPING='{"admin-group":["template-admin","user-admin"]}'

You can use the “Token Preview” page to verify it has been correctly configured

and verify the `roles` is in the payload.


<div>

<a href="https://github.com/<your_github_handle>" style="text-decoration: none; color: inherit;">

<span style="vertical-align:middle;">Your Name</span>

<img src="<your_github_profile_photo_url>" width="24px" height="24px" style="vertical-align:middle; margin: 0px;"/>

</a>

</div>

December 13, 2023

This is a guide on how to make Coder guides, it is not listed on our

[official guides page](coder.com/docs/v2/latest/guides) in the docs. This is

intended for those who don't frequently contribute documentation changes to the

`coder/coder` repository.

Defer to our

[Contributing/Documentation](coder.com/docs/v2/latest/contributing/documentation)

page for rules on technical writing.

Use relative imports in the markdown and store photos in

`docs/images/guides/<your_guide>/<image>.png`.

At the top of this example you will find a small html snippet that nicely

renders the author's name and photo, while linking to their Github profile.

Before submitting your guide in a PR, replace `your_github_handle`,

`your_github_profile_photo_url` and "Your Name". The entire `<img>` element can

be omitted.

Once you've written your guide, you'll need to add its route to

`docs/manifest.json` under `Guides` > `"children"` at the bottom:

{

// Overrides the "# Guide Title" at the top of this file

"title": "Contributing to Guides",

"description": "How to add a guide",

"path": "./guides/my-guide-file.md"

},

Before pushing your guide to github, run `make fmt` to format the files with

Prettier. Then, push your changes to a new branch and create a PR.

Here you can find a list of employee-written guides on Coder for OSS and

Enterprise. These tutorials are hosted on our

[Github](https://github.com/coder/coder/) where you can leave feedback or

request new topics to be covered.

<children>

This page is rendered on https://coder.com/docs/v2/latest/guides. Refer to the other documents in the `guides/` directory for specific employee-written guides.

</children>

},

{

"title": "Guides",

"description": "Employee-authored tutorials",

"path": "./guides/index.md",

"icon_path": "./images/icons/notes.svg",

"children": [

{

"title": "Configuring Okta",

"description": "Custom claims/scopes with Okta for group/role sync",

"path": "./guides/configuring-okta.md"

}

]