The groups attribute on a user in the SCIM api is always empty. What is it for? Even if a user is added to a group in the Directory settings, the groups attribute is an empty list. I cannot find any documentation for that attribute and what it is supposed to contain.
Hi there, the SCIM specsheet defines the group attribute this way:
It is intended that the semantics of group membership and any behavior or authorization granted as a result of membership are defined by the service provider.
Ideally, you’d want to have a many-to-many relationship between your Groups table and Users table in your external application’s database. This relationship would populate your groups attribute for a user dynamically and avoid any potential security issues down the line with a hard-coded groups list that could grant outdated access. Does that make sense?
Maybe a bit. But the thing that I still don’t understand is this. When I update or create a user in Okta, there is an POST or PUT request sent to my application with that user and its attributes. Within those attributes there is a groups attribute which does always has an empty list as value. I assumed that it would contain information about which groups the user belongs to in Okta, but it does not. I have not activated groups in the SCIM settings for the application though, not sure if it is needed for this. The application does not support the groups api for SCIM at the moment.
@generti Have you been able to solve this? I’m having the same issue where I would just like to know a users Group name without having to implement the Groups API logic since my application is not using that at all.
We have group API also implemented , when we still see the same issue . The group attribute has been sent as empty for user post/put call.
The “groups” attribute sent in the user payload will only be populated by any pushed/imported groups the user is a member of within Okta. No other groups the user is assigned will be in this list. If you do not have any Push Group rules and/or have not enabled Import Groups, this list will remain empty.
Hi @KevinLameco ,
Have you been able to solve this issue,
I am in the same boat, where I want to know if we can fetch group info without having to implement the Groups API logic?
@andrea, the group push sends only provide a scims/v2/Groups request with the specific group information along with the member list, but I am still not seeing any group info in the user schema on a new user create, is there any other configuration needed to enable this ?
At this time, you cannot receive group profile information in these updates, only User membership details and the group name.
You may want to file an Okta Idea for your use case if you wish to collect more information about the groups assigned/synced with your app
Thank you for getting back to me @andrea,
I am just looking to get all the group names, that the user belongs to, and would not need all the group profile attributes
Currently, even if I add the group information explicitly during the user creation, this is not passed as part of SCIM user Post request
The only groups that will be sent to the SCIM server are ones that are configured to be pushed and the membership will match the membership of users that are in that group that are assigned to the application in question. Do you at least see this?
yes, @andrea unfortunately I still don’t see any group info in the user schema
below are the steps that I tried
Set up
- Create a ‘TestGroup’ under Directory->Groups
- Assigned that Group to my SCIM application
- Pushed the Group from Application–> SCIMAPP–>Push Group ( ensure the state is active)
Case 1:
- Create a user under Directory->People ( Ensured to Add the Group Info
TestGroup)
Behavior
- A POST user SCIM request is sent to my service including all the data ( schemas:core:2.0:User and schemas:extension:enterprise:2.0:User ) except the “groups”: which remains empty |
- although after a few seconds, a PUT Group Request is sent for TestGroup with the updated member info
Case 2:
Assign an already existing user to TestGroup
- First a Group Put is sent with the updated member list
- then a User Post with the same above schema is sent to the service without any groups data included
@pritha.kv How is your SCIM server responding you receive these POST and PUT requests from Okta? Does your SCIM server properly support the Groups endpoint?
Were you able to figure out the issue? I am having the exact same issue, the groups attribute in POST/PUT requests to the Users endpoint comes up empty. @andrea was there ever a solution found?