Has anyone configured the okta connector to the point where they can pull samlRoles that belong to OktaGroups.
They are reference array data types when you create a AWS federated Application in OKTA.
Thanks
Hi Patel, we don’t have the configuration you’re asking about, but it sounds like you have AWS groups that you’re using for roles and synchronise the groups into Okta. Then you want to pull those groups into IdentityNow/ISC as entitlements?
If you edit the Okta connector you can see the filter settings used to pull in the groups as entitlements:
Since the connector is likely using the list-groups with filter (tested on my tenant, unfortunately it doesn’t use the list groups with search) Okta API you should be able to modify the filter to pull in the groups you desire:
Unfortunately it appears you can’t use the starts with (sw) or name attributes in the list groups with filter, so you could either allow all imported APP_GROUP types:
type eq “BUILT_IN” or type eq “OKTA_GROUP” or type eq “APP_GROUP”
Or if you don’t have many groups you need to pull in, you could address them individually:
type eq “BUILT_IN” or type eq “OKTA_GROUP” or id eq “00g1emaKYZTWRYYRRTSK” or id eq “”
I’ve confirmed this worked to aggregate an Active Directory group we have synchronised to Okta.
Other options would be to build a custom web-services source specifically to pull in these AWS groups in Okta, as you could use the list Okta groups with search API instead of the filter operation. Or you could potentially build a before-operation rule for your current Okta connector.
Hi Rapheal
Thanks for your response.
I am able to pull the applications, Okta Groups and App Groups by adding the filters as below:
What i am looking for to aggregate in IDN is the below from OKTA Tenants: Applications > AWS Application > Okta groups > SAML User Roles
When i map the samlRoles to a customAttribute within Okta to pull this within the IDN Schema
i get the following:
and that is what i am trying to resolve. How do i get the saml user roles to be aggregated.
I see there is an OKTA API : {{url}}/api/v1/apps//groups that would give me that info but i think the okta connector in IDN does not support this api call. Just confirming if anyone was able to get this info in.
reference:
okta powershell to retrieve AWS group/roles info
How to List the AWS Roles and SAML User Roles Assigned to Okta Groups
Hi Patel, can you post your IdentityNow Okta source account schema configuration for the mapped attribute, as well as your Okta entitlements schemas?
Perhaps also include the output of API calls to Okta when doing a get group for one of the samlRoles groups and get user for a user that has one or more of the samlRoles assigned?
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.