7

I'm trying to sync users/groups that sit behind Okta in Active Directory. Specifically, I'd like to get all groups a user belongs to, upon login to a third party application.

Looking at the Okta API documentation (http://developer.okta.com/docs/api/resources/groups.html) I see that I could accomplish this by performing the following operations (in pseudo-code):

FETCH ALL GROUPS (using List Groups operation)
FOR EACH GROUP
    FETCH A LIST OF USERS (using List Group Members operation)

For my purposes this seems very inefficient, but I can't find a better way of doing this by looking at the documentation.

Ideally, what I would like to do is:

FETCH ALL GROUPS FOR A GIVEN USER ID

Is there any way I could accomplish this ?

Any help is appreciated. Thanks.

danvalencia
  • 231
  • 3
  • 11

2 Answers2

4

I found the answer: the Get Member Groups API call does this exact thing. It's under Related Resources here: http://developer.okta.com/docs/api/resources/users.html

danvalencia
  • 231
  • 3
  • 11
  • 3
    I think, this will work only if you are logged in with admin (okta admin) credentials. what about normal users ? (like we logged in with normal user and we want to know the group which this user belongs to ?) – Nisfan Apr 13 '17 at 07:29
  • @Nisfan I am experiencing the same thing. Groups come over in a postman request, but when I make a fetch request from the browser Groups always come over as an empty array. But if I give the User "Okta Admin" permissions then all of their groups come through on the response as expected. Were you able to resolve this? – pstricker May 03 '17 at 15:57
  • @pstricker - you can create an **api_token** and add it in the header of the GET request.([ref](http://developer.okta.com/docs/api/resources/users.html#request-example-18)). And you can create api_token from the admin account([ref.](http://developer.okta.com/docs/api/getting_started/getting_a_token.html)) – Nisfan May 04 '17 at 17:13
0

It's also possible to get this list when the user logs in into an app via SAML.

Add a Group Attribute Statement with filter Matches regex and value .*.

You will get the user's groups as part of the XML.

get user groups okta upon signin

gilm
  • 7,002
  • 3
  • 38
  • 39