I am creating a SCIM complient APP for OneLogin. I have implemented SCIM API. It works fine for /Users Request.
But I am not getting what will be the format for /Groups Request and when it will be sent. In which format they are sent and How to assign groups to people. And how to apply mapping for it..I Have read this article( https://developers.onelogin.com/scim/implement-scim-api ) on provisioning for this but it doesn't give me clear insights.
Also, Can one user be in multiple groups?
The first step would be to configure your application to first enable provisioning for the Groups attibute in your SCIM connector (this tells OneLogin that your application supports Groups)
Once that's done, you should 'Refresh Entitlements' and OneLogin will call the app's groups endpoint to retrieve what groups are available to assign users to.
From there you can add Rules to the application in OneLogin that assign users to groups and users can be assigned to as many groups as you want.
Details can be found here: https://developers.onelogin.com/scim/create-app
Related
Trying to create a SCIM application in Okta that would provision both users and groups.
Users seem to work as expected and I am able to push custom attributes for users to our app and also do the proper mappings.
However, I have some issues with Groups. I am using Push Group mechanism.
After I enabled the feature called Group Profiles for Universal Directory an Okta Group Profile was added to the Directory -> Profile Editors, to which I added some new attributes for groups (e.g. email, okta id).
If I create groups with these custom attributes and push them, the only information I get sent to our app is displayName and members.
This is the POST body:
{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"displayName":"name of group","members":[]}
So no email or other custom attributes.
It is not clear to me how to differentiate our SCIM app attributes for users vs the ones for groups. In the attribute mappings I only see “From Okta user to My app”, and no “From Okta group to My app” and I can only choose user.attribute and not group.attribute.
Any help is very much appreciated!
I got an answer from support saying that provisioning through SCIM custom group attributes is not supported yet. The option might be available later this year, but there is no ETA.
Setup:
Group in Okta that has a user added
SCIM app in Okta that has the group assigned and pushed
In the above setup, when we remove the user from the group, we don't receive a SCIM PATCH request to remove the user from the group.
When the user is directly assigned to the SCIM app, rather than through the group, we do see a remove SCIM patch request.
Steps to replicate the issue:
Create a SCIM app in Okta and connect it to an application to receive SCIM update events.
Create a group in Okta and assign a user to that group.
Assign the group you created to the SCIM app in Okta, and push that group as well.
In Okta, remove the user from the group.
No remove SCIM operation is sent, which is what I would expect.
For the above steps, if you assign the user directly to the SCIM app, instead of via the group, the remove SCIM operation is sent. This is what we're looking for:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "remove",
"path": "members[value eq \"directory_user_01FFR215H3C9X6V5C8AJFKZ823\"]"
}
]
}
One potential workaround is to manually push the groups from Okta, which sends a replace operation to re-set the group membership.
Is this expected behavior or is this a bug? Requiring assignment of thousands of users individually and not through groups is a blocker in some cases. However, we’re not receiving the correct group removal events if the users are assigned to the SCIM app via groups. Has anyone set up Okta SCIM with group assignments and receives the correct group membership removals?
When user is removed from the group, Okta sends the request which "Disables" the user on the application but does not send the "delete" it.
So, what you are seeing is the right behaviour wrt of Okta user-group relation when it comes to SCIM provisioning.
I've installed a third party app on an AWS EC2 instance. The requirement is when user clicks the web url of this application, user should be authenticated using organization's Azure AD. Since it's a third party app I can not integrate Azure AD with it in the code. Any suggestions on how it can be achieved are welcome. I'm trying out AWS cognito service but so far it didn't work.
Please check if you have followed the steps below and if anything was missed.
Version of Azure AD- free won’t support the onboarding of enterprise apps. So we need to upgrade Azure AD.
Go to enterprise application>new application>non-gallery
application>activate for enterprise account (which is minimum
requirement ,can select premium also)>give AWS app name.
Go to single sign-on by opening the application in azure >choose the
SAML option >Download federation metadata XML as shown below.
Then go to AWS management console>>Enable AWS SSO(Only certain
regions are available to enable SSO,please check that).
Choose the identity source
Change the identity provider>>select external identity
provider>download AWS SSO SAML metadata file which can be used later
in azure side.
In IdP SAML metadata>insert the azure federation metadata file which
is downloaded previously from azure and then review and confirm .
Now go to azure portal where you previously previously created aws app name>Go to single sign on >Upload metadata file>select the file which we previously downloaded from the aws portal>click on add>then click save on basic SAML configuration.
Say yes to test sso if pop up for testing appears.
Now we can provide automatic provisioning.When new user is created in azure AD ,then it must flow in AWS SSO .We can make few users a part of AD group in order to try signin from users.
Now go to AWS Portal and click on >Enable automatic provisioning.Copy
SCIM Endpoint and access token .Go to azure side in the app
provisioning>>Select automatic in provisioning mode>>Then paste the the SCIM end point in Tenant URL and accesstoken>click on Test connection and save the configuration.
Then go for mappings >select Synchronize AAD users to custom app
sso>leave default settings>You can select required attributes
-select beside externalID mailnickname and change the Source attribute to ObjectId(choosing the unique ID on AD side to flow in
AWS)>Also edit mail>change source attribute to userprincipalname.
I. Ensure the user only has one value for phoneNumber/email
II. Remove the duplicate attributes. For example, having two different
attributes being mapped from Azure AD both mapped to
"phoneNumber_____" would result in the error if both attributes in
Azure AD have values. Only having one attribute mapped to a
"phoneNumber____ " attribute would resolve the error.
Now go ahead and map users and groups
Search for groups in portal and add groups >Security type>give a
group name ,description and membership type as assigned>click on create.
Create two or more groups in the same way if needed ,After that
these groups are to be filled with particular users for particular
group .
Now create few users .For that Search for users in portal>new user>give name >add the user to one of the created groups and assign .
After creating users and groups , go to users and groups in your
enterprise app(recommended to select groups rather than individual
and then delete unwanted users)
Go back to provisioning and make the provision status as ON.
Now do the mapping of AD group to access certain AWS accounts by
giving permission sets.
Go to permission sets and select the group or users . You can give
existing job functional access or you can create custom policies .
Now go to settings in AWS portal copy the url and open the page of
the url which redirects to the signin. Give the user credentials and
access is possibleas per the given permissions.
I just signed up for a dev test account with Okta to test OIDC using Okta's auth service and user management.
Using their management portal, I created a second group called Test Group along with the default group of Everyone and added my single user to both groups.
I then added an application called My SPA and assigned the Test Group access to this application.
Using the classic UI, I then edited the OpenID Connect ID Token section and set Group claims type to Expression and added groups as the claim name and getFilteredGroups(app.profile.groupwhitelist, "group.name", 40) as the expression.
I then went and edited the authorization server. I added a claim called 'groups' with a RegEx of *. to be used with any scope, access tokens and always include.
I then use the Token Preview selecting my user and using implicit grant flow but no groups show up.
How do you get a user's groups to show up as claims in the ID or Access Token from an Okta auth server?
Edit
Screen shots of what I have:
I’ve only ever used the Developer Console to configure things. Here’s how I did it:
Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it "groups" or "roles", and include it in the ID Token. Set the value type to "Groups" and set the filter to be a Regex of .*.
You need to add the "groups" scope. In the scope, add "groups" in addition to profile and openid
I think the Groups here are created in order to park users in respective buckets (e.g. Admins / Users etc) so that by knowing the Group of User, the role can be derived for Authorizations.
However, I will recommend to use Okta's Custom Attribute in Users' Profile so that the User Info can have required attribute.
The Custom Attribute can be set as Dropdown styled Enumeration to choose from and can also be marked as Mandatory while adding User in system.
https://support.okta.com/help/s/article/How-to-create-dropdown-enumerated-custom-attributes-in-Okta?language=en_US
Adding Custom Attribute - https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-add-custom-user-attributes.htm
And Mapping Attributes to Okta Profile -
https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-about-attribute-mappings.htm
Hope this also helps.
I am building OneLogin SCIM Provisioner with SAML (Core Schema) app. I've created two controllers - Users and Groups. UsersController logic works perfectly - I can provision users and do all CRUD operations. But I am having issues with provisioning groups:
Based on the OneLogin articles (Get Groups and Provision Users into Groups) i get the initial GET hit that is trying to retrieve groups (when I refresh entitlements in OneLogin) but nothing comes accross on the OneLogin side. I've gone so far to return exact copy of the example response given in the article. Activity Event Log in OneLogin is showing that Refresh Entitlement operation has started and finished but the result of the operation is nowhere to be seen.
Has anybody experienced similar issue?
Every help and suggestion much appreciated.
Awesome that you're doing SCIM
In Onelogin groups and group memberships are expressed as "Entitlements" which is a fancy term for "things that can be set through rules in OneLogin"
So you need to go into your application and turn on provisioning for the Groups parameter.
Once you've refreshed entitlements (and your application has told OneLogin what groups you have) you should then be able to go into the "Rules" configuration in your OneLogin application and define rules to assign users to the various groups in your app.
Hope that helps.
Also if this is a commercial application (not something in-house) please contact scim-support#onelogin.com if you want something official and pre-configured in the OneLogin app catalog.