Export/Import Authentication Policies

medic459 · December 20, 2023, 5:12pm

We’ve developed authentication policies in our oktapreview environment and would love to export/import to prod.

I’ve used {{url}}/api/v1/policies/rstXXX/rules to get the policy and all its rules.
But when I try to create a new one using the JSON from above, I get either:

errorCode": “E0000001”,
“errorSummary”: “Api validation failed: The policy could not be created or updated because the request was not formatted correctly. Please ensure that the value of the "type" field is valid and that the rest of the body conforms to the expected format for that type.”,

or

"errorCode": "E0000003",
"errorSummary": "The request body was not well-formed.",

I was able to create a new policy using the default/example…is it possible that you can’t pass in any of the really useful parts of a policy object (Policy | Okta Developer) like conditions or actions?

The policies I have in preview have multiple rules based on managed/unmanaged, group memberships, behavior detection. Would be nice to do a simple export to json → import…

medic459 · December 20, 2023, 5:25pm

Well…I guess I should have RTFM:
POST to api/v1/policies/rsrXXXX/rules does create the rule…but, if I have multiple rules:
The JSON is:
[
{
“name”:“rule1”,
.
.
.
.
},
“name”:“rule2”,
.
.
.
.
},
“name”:“rule3”,
.
.
.
.
}
]
But it doesn’t like that. I have to ship it one rule at a time. Not a big deal, just a PITA. Would be nice if there was a 1:1 export/import.

medic459 · December 20, 2023, 6:53pm

Having a convo with myself here, but posting for posterity:

Got all the rules associated with a policy (GET on api/v1/policies/rstSOURCE/rules)
Loops through all rules:
2a. removed the following nodes/tags/thingies: id, created, lastupdated, _links
2b. did a POST to api/v1/policies/rstDESTINATION/rules

Works with these caveats:
a rule that has a user/group/zone referenced will fail since the guids from tenant1 won’t exist in tenant2.
Also, the ‘catch-all rule’ will need to be done via a PUT to the rule’s guid
So I also captured the guid for the ‘Catch-all rule’ in the destination. When I was looping and was processing the SOURCE’S ‘Catch-all rule’, I changed the POST to a PUT and the URI to api/v1/policies/rsrDESTINATION/rules/rulCATCHALLRULEID

Can now export/import a full authentication policy via API! Huzzah!

andrea · January 13, 2024, 12:55am

@medic459 thanks for adding your findings here in case anyone else has this use case in the future!

system · January 14, 2024, 12:56am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.