Sending group custom attributes through the Okta SCIM app - okta

Trying to create a SCIM application in Okta that would provision both users and groups.
Users seem to work as expected and I am able to push custom attributes for users to our app and also do the proper mappings.
However, I have some issues with Groups. I am using Push Group mechanism.
After I enabled the feature called Group Profiles for Universal Directory an Okta Group Profile was added to the Directory -> Profile Editors, to which I added some new attributes for groups (e.g. email, okta id).
If I create groups with these custom attributes and push them, the only information I get sent to our app is displayName and members.
This is the POST body:
{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"displayName":"name of group","members":[]}
So no email or other custom attributes.
It is not clear to me how to differentiate our SCIM app attributes for users vs the ones for groups. In the attribute mappings I only see “From Okta user to My app”, and no “From Okta group to My app” and I can only choose user.attribute and not group.attribute.
Any help is very much appreciated!

I got an answer from support saying that provisioning through SCIM custom group attributes is not supported yet. The option might be available later this year, but there is no ETA.

Related

SCIM2 => Okta provisioning: Is it possible to update attributes with import?

When we initially import users into Okta via our SCIM test app, attributes like name and roles are set correctly in Okta. This appears to be configured here in the "To Okta" provisioning settings:
With the list of attributes and action to apply here:
Roles isn't listed here as an attribute, but they are part of the core schema and are imported if supplied by our SCIM app.
It looks like we can only apply these attributes on the initial create? If you edit the various attributes you'll see:
The "Create and update" option is greyed out. So it seems that you can only set attributes with the initial create. Is there some other way to update Okta with changes made in our internal system?

Okta not returning custom claims in tokens

I just signed up for a dev test account with Okta to test OIDC using Okta's auth service and user management.
Using their management portal, I created a second group called Test Group along with the default group of Everyone and added my single user to both groups.
I then added an application called My SPA and assigned the Test Group access to this application.
Using the classic UI, I then edited the OpenID Connect ID Token section and set Group claims type to Expression and added groups as the claim name and getFilteredGroups(app.profile.groupwhitelist, "group.name", 40) as the expression.
I then went and edited the authorization server. I added a claim called 'groups' with a RegEx of *. to be used with any scope, access tokens and always include.
I then use the Token Preview selecting my user and using implicit grant flow but no groups show up.
How do you get a user's groups to show up as claims in the ID or Access Token from an Okta auth server?
Edit
Screen shots of what I have:
I’ve only ever used the Developer Console to configure things. Here’s how I did it:
Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it "groups" or "roles", and include it in the ID Token. Set the value type to "Groups" and set the filter to be a Regex of .*.
You need to add the "groups" scope. In the scope, add "groups" in addition to profile and openid
I think the Groups here are created in order to park users in respective buckets (e.g. Admins / Users etc) so that by knowing the Group of User, the role can be derived for Authorizations.
However, I will recommend to use Okta's Custom Attribute in Users' Profile so that the User Info can have required attribute.
The Custom Attribute can be set as Dropdown styled Enumeration to choose from and can also be marked as Mandatory while adding User in system.
https://support.okta.com/help/s/article/How-to-create-dropdown-enumerated-custom-attributes-in-Okta?language=en_US
Adding Custom Attribute - https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-add-custom-user-attributes.htm
And Mapping Attributes to Okta Profile -
https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-about-attribute-mappings.htm
Hope this also helps.

OneLogin SCIM provisioning for Groups

I am building OneLogin SCIM Provisioner with SAML (Core Schema) app. I've created two controllers - Users and Groups. UsersController logic works perfectly - I can provision users and do all CRUD operations. But I am having issues with provisioning groups:
Based on the OneLogin articles (Get Groups and Provision Users into Groups) i get the initial GET hit that is trying to retrieve groups (when I refresh entitlements in OneLogin) but nothing comes accross on the OneLogin side. I've gone so far to return exact copy of the example response given in the article. Activity Event Log in OneLogin is showing that Refresh Entitlement operation has started and finished but the result of the operation is nowhere to be seen.
Has anybody experienced similar issue?
Every help and suggestion much appreciated.
Awesome that you're doing SCIM
In Onelogin groups and group memberships are expressed as "Entitlements" which is a fancy term for "things that can be set through rules in OneLogin"
So you need to go into your application and turn on provisioning for the Groups parameter.
Once you've refreshed entitlements (and your application has told OneLogin what groups you have) you should then be able to go into the "Rules" configuration in your OneLogin application and define rules to assign users to the various groups in your app.
Hope that helps.
Also if this is a commercial application (not something in-house) please contact scim-support#onelogin.com if you want something official and pre-configured in the OneLogin app catalog.

OneLogin Provisioning using SCIM

I am creating a SCIM complient APP for OneLogin. I have implemented SCIM API. It works fine for /Users Request.
But I am not getting what will be the format for /Groups Request and when it will be sent. In which format they are sent and How to assign groups to people. And how to apply mapping for it..I Have read this article( https://developers.onelogin.com/scim/implement-scim-api ) on provisioning for this but it doesn't give me clear insights.
Also, Can one user be in multiple groups?
The first step would be to configure your application to first enable provisioning for the Groups attibute in your SCIM connector (this tells OneLogin that your application supports Groups)
Once that's done, you should 'Refresh Entitlements' and OneLogin will call the app's groups endpoint to retrieve what groups are available to assign users to.
From there you can add Rules to the application in OneLogin that assign users to groups and users can be assigned to as many groups as you want.
Details can be found here: https://developers.onelogin.com/scim/create-app

How to mark api-created Okta users as being provided by Active Directory

We’re currently running the Okta Active Directory agent in order to import our users into Okta.
I'd like to replace this with a custom built process that imports users into a new internal database, for other user-management-related activities, whilst also adding those users to Okta.
Creating the user in Okta is easy, but I also need to get the user's "provider" set to ACTIVE_DIRECTORY, so that Okta delegates authentication to Active Directory.
The documentation (http://developer.okta.com/docs/api/resources/users.html#provider-object) says that the User's Provider field is read-only.
How can I set it?
While you cannot directly manipulate the credential object you can leverage other features available to achieve the desired result.
Create a group in Okta and configure it as a directory provisioning group. From the designated group select 'Manage Directories' add the desired Directory and follow the wizard to completion.
Add the created users to the group (using the API)
You unfortunately cannot set this property as we do not allow the creation of Active Directory users through the public API at this point.
If the purpose of the new process is simply to enrich the user's profile, can't you not achieve this by letting the AD agent sync the users and enrich the profile directly through the API?

Resources