Set Up SAML Group Mapping with Okta

  • Published on Apr 4, 2025
  • 1 minute(s) read

This topic explains how to configure SAML-based Single Sign-On (SSO) with Okta and set up group mapping so that Traceable can automatically assign user roles based on their Okta group membership.

This guide is intended for administrators configuring Traceable as a SAML service provider using Okta as the identity provider.

Before You Begin

Ensure you have the following:

  • Admin access to your Okta tenant.

  • The Traceable application has already been added to your Okta instance.

  • Group names are already defined in Okta for different sets of users.

  • Admin access to the Traceable UI to configure the SAML Group Attribute and role mapping.

Step 1: Configure the Okta Application

  1. In the Okta Admin Console, go to Applications → Applications

  2. Locate and click the Traceable application

  3. Open the General tab

  4. Scroll down to the SAML Settings section and click Edit

  5. Proceed through the wizard until you reach Attribute Statements (Optional)

  6. Add a new attribute to include group information:

    • Name: groups

    • Name format: Unspecified

    • Filter: Choose either:

      • Starts with (e.g., Traceable) — to send only groups that begin with a particular prefix

      • Or, Equals — to send a specific group

    • Click Next, then Finish.

This step ensures that group data is included in the SAML assertion sent to Traceable.

Step 2: Test and Extract the Group Attribute Name

  1. Go to the Sign On tab of the Traceable app in Okta.

  2. Scroll to the SAML Signing Certificates section.

  3. Click View Setup Instructions or use a tool like SAML-tracer to test the login flow.

  4. Check the decoded SAML response and verify that the group information is included:

    <Attribute Name="groups">
  <AttributeValue>Dev Team</AttributeValue>
</Attribute>

Note down groups as the Group Attribute Name and values such as Dev Team as group values.

Step 3: Map Groups to Roles in Traceable

  1. In the Traceable UI, go to Configuration → Team

  2. Click the SAML Config tab

  3. In the Group Attribute Name field, enter groups

  4. Click + Add Group to define role mappings:

    • SAML Group: Enter a group value like Dev Team

    • Role: Select the appropriate Traceable role (e.g., Developer)

    • Scope: Define whether the role applies globally or to a specific app/project

  5. Click Add Role, then Save.

What’s Next?

After setup:

  • Users logging in via Okta SSO will automatically receive roles based on group membership

  • You can edit or remove group-role mappings anytime in the Traceable UI

Return to the SAML Configuration topic to continue with the rest of the SAML configuration process.