I had the exact same issue.
Basically, what I wanted to do, was to have my Authentik user created as an admin, and the others to be created as users (as anyway, I would be able to change the roles of the other users from my user).
Here’s how I fixed it :
1 - In left navigation menu, went to “Directory/Groups”, then created a new “group” called “ocisAdmin”.
2 - In left navigation menu, went to “Directory/Users”, then assigned my user to this new group.
3 - In left navigation menu, went to “Customization/Property Mappings”, then, created a new “Scope Mapping” (penultimate option on my UI). Gave it a name that speaks to me (“oCIS email scope extended”, if you want to know), “email” as “Scope Name”, and this expression:
return {
"roles": "ocisAdmin"if ak_is_group_member(request.user, group_uuid="55bb2a58-2973-4753-a16a-6ebc80bec705") else"ocisUser"
} # Replace the UUID with your group's one, I found it in the URL when modifying the group in Authentik
4 - In left navigation menu, went to “Applications/Providers”, opened each oCIS provider, clicked “Edit”, opened the sub-menu “Advanced protocol settings”, selected my custom “Property mapping” in the left “Scopes” menu, and clicked on the right pointing arrow to have it selected for those providers.
Also, make SURE that you have this property set:
PROXY_ROLE_ASSIGNMENT_DRIVER=oidc
Now, my users are properly populated into oCIS.
I still need to figure out how to make the applications work, but I have faith I’ll figure it out :)
I had the exact same issue.
Basically, what I wanted to do, was to have my Authentik user created as an admin, and the others to be created as users (as anyway, I would be able to change the roles of the other users from my user).
Here’s how I fixed it :
1 - In left navigation menu, went to “Directory/Groups”, then created a new “group” called “ocisAdmin”.
2 - In left navigation menu, went to “Directory/Users”, then assigned my user to this new group.
3 - In left navigation menu, went to “Customization/Property Mappings”, then, created a new “Scope Mapping” (penultimate option on my UI). Gave it a name that speaks to me (“oCIS email scope extended”, if you want to know), “email” as “Scope Name”, and this expression:
return { "roles": "ocisAdmin" if ak_is_group_member(request.user, group_uuid="55bb2a58-2973-4753-a16a-6ebc80bec705") else "ocisUser" } # Replace the UUID with your group's one, I found it in the URL when modifying the group in Authentik4 - In left navigation menu, went to “Applications/Providers”, opened each oCIS provider, clicked “Edit”, opened the sub-menu “Advanced protocol settings”, selected my custom “Property mapping” in the left “Scopes” menu, and clicked on the right pointing arrow to have it selected for those providers.
Also, make SURE that you have this property set:
PROXY_ROLE_ASSIGNMENT_DRIVER=oidcNow, my users are properly populated into oCIS.
I still need to figure out how to make the applications work, but I have faith I’ll figure it out :)
Hope that helped !