Setup:
Group in Okta that has a user added
SCIM app in Okta that has the group assigned and pushed
In the above setup, when we remove the user from the group, we don't receive a SCIM PATCH request to remove the user from the group.
When the user is directly assigned to the SCIM app, rather than through the group, we do see a remove SCIM patch request.
Steps to replicate the issue:
Create a SCIM app in Okta and connect it to an application to receive SCIM update events.
Create a group in Okta and assign a user to that group.
Assign the group you created to the SCIM app in Okta, and push that group as well.
In Okta, remove the user from the group.
No remove SCIM operation is sent, which is what I would expect.
For the above steps, if you assign the user directly to the SCIM app, instead of via the group, the remove SCIM operation is sent. This is what we're looking for:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "remove",
"path": "members[value eq \"directory_user_01FFR215H3C9X6V5C8AJFKZ823\"]"
}
]
}
One potential workaround is to manually push the groups from Okta, which sends a replace operation to re-set the group membership.
Is this expected behavior or is this a bug? Requiring assignment of thousands of users individually and not through groups is a blocker in some cases. However, we’re not receiving the correct group removal events if the users are assigned to the SCIM app via groups. Has anyone set up Okta SCIM with group assignments and receives the correct group membership removals?
When user is removed from the group, Okta sends the request which "Disables" the user on the application but does not send the "delete" it.
So, what you are seeing is the right behaviour wrt of Okta user-group relation when it comes to SCIM provisioning.
Related
Trying to create a SCIM application in Okta that would provision both users and groups.
Users seem to work as expected and I am able to push custom attributes for users to our app and also do the proper mappings.
However, I have some issues with Groups. I am using Push Group mechanism.
After I enabled the feature called Group Profiles for Universal Directory an Okta Group Profile was added to the Directory -> Profile Editors, to which I added some new attributes for groups (e.g. email, okta id).
If I create groups with these custom attributes and push them, the only information I get sent to our app is displayName and members.
This is the POST body:
{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"displayName":"name of group","members":[]}
So no email or other custom attributes.
It is not clear to me how to differentiate our SCIM app attributes for users vs the ones for groups. In the attribute mappings I only see “From Okta user to My app”, and no “From Okta group to My app” and I can only choose user.attribute and not group.attribute.
Any help is very much appreciated!
I got an answer from support saying that provisioning through SCIM custom group attributes is not supported yet. The option might be available later this year, but there is no ETA.
I just signed up for a dev test account with Okta to test OIDC using Okta's auth service and user management.
Using their management portal, I created a second group called Test Group along with the default group of Everyone and added my single user to both groups.
I then added an application called My SPA and assigned the Test Group access to this application.
Using the classic UI, I then edited the OpenID Connect ID Token section and set Group claims type to Expression and added groups as the claim name and getFilteredGroups(app.profile.groupwhitelist, "group.name", 40) as the expression.
I then went and edited the authorization server. I added a claim called 'groups' with a RegEx of *. to be used with any scope, access tokens and always include.
I then use the Token Preview selecting my user and using implicit grant flow but no groups show up.
How do you get a user's groups to show up as claims in the ID or Access Token from an Okta auth server?
Edit
Screen shots of what I have:
I’ve only ever used the Developer Console to configure things. Here’s how I did it:
Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it "groups" or "roles", and include it in the ID Token. Set the value type to "Groups" and set the filter to be a Regex of .*.
You need to add the "groups" scope. In the scope, add "groups" in addition to profile and openid
I think the Groups here are created in order to park users in respective buckets (e.g. Admins / Users etc) so that by knowing the Group of User, the role can be derived for Authorizations.
However, I will recommend to use Okta's Custom Attribute in Users' Profile so that the User Info can have required attribute.
The Custom Attribute can be set as Dropdown styled Enumeration to choose from and can also be marked as Mandatory while adding User in system.
https://support.okta.com/help/s/article/How-to-create-dropdown-enumerated-custom-attributes-in-Okta?language=en_US
Adding Custom Attribute - https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-add-custom-user-attributes.htm
And Mapping Attributes to Okta Profile -
https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-about-attribute-mappings.htm
Hope this also helps.
We are building a number of microservices using API Gateway+lambda+DynamoDB. We need to secure these APIs using Cognito which we are using for user management. We will have a user pool and two groups with a different IAM role attached to each group. The need is users in one group should not be able to access all services and so the users in other group.
Any suggestions, how we can implement this?
The issue is ID token generated by Cognito is not validated by API gateway to check what level of access user has. All it checks is if Cognito ID token is valid or not.
You can use API Gateway custom authorizers to validate policies attached to each group.
From AWS Documentation:
You can use groups in a user pool to control permission with Amazon API Gateway. The groups that a user is a member of are included in the ID token provided by a user pool when a user signs in. You can submit those ID tokens with requests to Amazon API Gateway, use a custom authorizer Lambda function to verify the token, and then inspect which groups a user belongs to.
Additional references to implement:
https://aws.amazon.com/blogs/compute/introducing-custom-authorizers-in-amazon-api-gateway/
https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/
I am trying to get deleted groups from user via rest api in Okta.
I cant see any anything which gives me information of deleted groups from user in Okta.
How can i detect if group is removed from user in okta.
I am creating a SCIM complient APP for OneLogin. I have implemented SCIM API. It works fine for /Users Request.
But I am not getting what will be the format for /Groups Request and when it will be sent. In which format they are sent and How to assign groups to people. And how to apply mapping for it..I Have read this article( https://developers.onelogin.com/scim/implement-scim-api ) on provisioning for this but it doesn't give me clear insights.
Also, Can one user be in multiple groups?
The first step would be to configure your application to first enable provisioning for the Groups attibute in your SCIM connector (this tells OneLogin that your application supports Groups)
Once that's done, you should 'Refresh Entitlements' and OneLogin will call the app's groups endpoint to retrieve what groups are available to assign users to.
From there you can add Rules to the application in OneLogin that assign users to groups and users can be assigned to as many groups as you want.
Details can be found here: https://developers.onelogin.com/scim/create-app