On This Page


You can add a Groups claim to ID tokens for any combination of App Groups and User Groups to perform single sign-on (SSO) using the Okta Org Authorization Server. You can also add a Groups claim to ID tokens and access tokens to perform authentication and authorization using a Custom Authorization Server.

This guide walks you through creating a Groups claim for an OpenID Connect client application. This approach is recommended if you are using only Okta-mastered Groups. For groups not mastered in Okta, you need to use an expression. See Retrieve both Active Directory and Okta groups in OpenID Connect claims (opens new window). For an Okta Org Authorization Server, you can only create an ID token with a Groups claim, not an access token.

Additionally, you can create a dynamic or static allow list when you need to set group allow lists on a per-application basis using both the Org Authorization Server and a Custom Authorization Server.

See Customize tokens returned from Okta when you want to define your own custom claims. For example, you might want to add a user's email address to an access token and use that to uniquely identify the user, or you may want to add information stored in a user profile to an ID token.

This guide assumes that you:


If you need help or have an issue, post a question on the Okta Developer Forum (opens new window).