Spotfire Ideas Portal
For OKTA integration with Spotfire, we are looking for similar functionality to that available in Statistica. The statistic doesn't need/require SCIM for the assignment of user rights/roles and allows for group claim information to be pulled from the OIDC ID token. As long as the group in the group claim array matches the locally configured group in Statistica, the user is automatically mapped to it.
The benefit of the Statistica model is that we do not need to rely on SCIM for out-of-band user rights management and can just rely on the assignment being done at login. Further, we do not own the provisioning SKU in Okta and can't enable SCIM through it. We would need to use our actual IGA platform for that, which brings in additional complexities, more to manage, etc.
At the end of the day, it would be nice if there was feature parity across all the platforms as far as SSO goes so we can deliver a consistent approach vs. different integration patterns. OIDC only is also a more straightforward pattern.
The problem with providing an out-of-the-box solution to this is that OpenID Connect does not not define any claims for group membership - which means the presence and the format of such a claim varies between OIDC providers (Okta and Microsoft for example both offers such claims but the format differs).
It's however possible to create a solution like the one described using the PostAuthenticationFilter (the OIDC ID token is made available to such filters) but there isn't an OOTB solution currently.