OIDC groups not syncing from Okta with external identity providers

Last updated: September 16, 2025

If some of your OIDC groups aren't syncing from Okta to Spacelift, this is likely due to how different group types are handled in Okta's group claims.

The Problem

Okta's Groups "Filter" claim type (using "Matches regex" with .*) only matches against groups that were created locally in Okta. It will not match against:

  • App groups (groups synced from external applications like HiBob, Google Workspace, etc.)

  • Active Directory groups

  • Other external identity provider groups

The Solution

Instead of using a Groups Filter, you need to use a Groups Expression in your Okta application configuration.

For All Group Types

If you want to include all group types (Okta groups, built-in groups, and app groups), use this expression:

user.getGroups({'group.type': {'OKTA_GROUP','APP_GROUP','BUILT_IN'}}).![name]

For Specific External Applications

If you want more control and only want to include groups from specific external applications along with your Okta groups, use this approach:

Arrays.flatten(
  user.getGroups({'group.type': {'OKTA_GROUP','BUILT_IN'}}),
  user.getGroups(
    {'group.type': {'APP_GROUP'}},
    {'group.source.id': {'YOUR_APP_SOURCE_ID'}}
  )
).![name]

To find your application's source ID:

  1. Go to your Okta admin console

  2. Navigate to the external application (e.g., HiBob, Google Workspace)

  3. Look at the URL - the source ID will be visible in the application's URL

How to Update Your Configuration

  1. In your Okta admin console, go to your Spacelift application

  2. Navigate to the Sign On tab

  3. Edit the Groups claim

  4. Change from "Filter" to "Expression"

  5. Replace the regex filter with one of the expressions above

  6. Save your changes

After making this change, users will need to log out and log back in to Spacelift for the new group memberships to take effect.