Okta Group Push via API

Hi,

we are using the recently released Group Push functionality through which you can push groups from Okta to an AD thus making Okta the owner of the group.

What I haven’t found yet is a way to trigger that push via API as we need to do that for more than 1000 groups…

Has anyone figured out if and how it works?

Best regards,
G.

Hello, I have the same problem.

Easiest way is to trigger admin panel private API. Be careful with that as private API’s are for internal use only and can change without any notice as well as harm your instance if used with errors.

In my case it looks like:

curl ‘https://{{tenant-admin}}.okta.com/api/internal/instance/{{appId}}/grouppush/{{mappingId}}’
-H ‘Cookie: {{cookies}}’
-H ‘Origin: https://{{tenant-admin}}.okta.com’
-H ‘Accept-Encoding: gzip, deflate, br’
-H ‘X-Okta-XsrfToken: {{token}}’
-H ‘Accept-Language: en-US,en;q=0.9,ru;q=0.8’
-H ‘User-Agent: {{userAgent}}’
-H ‘Content-Type: application/json’
-H ‘Accept: application/json, text/javascript, /; q=0.01’
-H ‘Referer: https://{{tenant-admin}}.okta.com/admin/app/{{appName}}/instance/{{appId}}/’
-H ‘X-Requested-With: XMLHttpRequest’
-H ‘Connection: keep-alive’
–data-binary ‘{“action”:“PUSH”}’
–compressed

Hi Andrey,

thanks for this!
First time I hear about this. Do you know if there is any documentation on that? Just googled it but couldn’t find anything.
Apart from making sure not to cause any harm, I’m wondering what values I would populate
{{cookies}}
{{userAgent}}
with.
And how do you get the group’s {{mappingId}}?
Thanks a lot!
Best regards,
G.

Also interested in other private API functions

Private APIs are not documented publicly.

{{cookies}}, {{userAgent}}, {{mappingId}} are your own cookie, browser userAgent and group mappingId from your tenant.

You can use Chrome DevTools to track these fields and copy necessary data to Postman or curl. Just check there what is happening when you do click on ‘Push now’ button in Okta UI.

Hi Andrey,

I’ve been making some progress here in finding the needed values but I still haven’t managed to make it work.
Looking at the values what strikes me as odd is the following:

• {{mappingId}} is always a different string when I do group pushes in the front-end. Seems like this number is generated AFTER the group push is done and either refers to the mapping between the Okta group and the AD group, or the AD group’s ID. In other words

• so I tried to populate the group’s Okta ID instead of a mapping ID but then wondered how should the AD in which OU to push the group (this is normally selected manually when pushing the group in the front-end)

• so I guessed that maybe the {{mappingId}} is in fact the OU ID provided by the AD, but again, the number is always different even if I choose the same group and OU to push it to

So I figured in the CURL parameters we’d have to specify at least 2 Okta IDs - the group ID and the OU ID.
When you submit your CURL statement in your environment, in which OU is the group created? In the root OU?

Thanks,
G.

Hello geppe,

I have group push configured for Jira app and not AD. With Jira mappingID is unique ID for every groups I have pushed: group1->to_Jira has one mappingID, group2_to_Jira has another.

I was able to do this with postman.

1. Push a group manually to AD with Chrome dev tools open to ‘network’ tab.
2. On the dev tools network tab, copy the request as a Curl
3. In postman, import the request as text, pasting the curl command copied in step 3.
4. Create a collection and save the request to the collection
5. Create and populate a csv with two columns, name, and id (this will be your okta group name and groupid) of the groups you want to push
6. In the body of the request, replace the group name with “{{name}}” and replace the group id with “{{id}}”. These must match your column headers of your csv
7. In Postman go to “Runner”, select your collection and API call. In data select your CSV. Check “save responses”/
8. Start Run!

@dmv5039 Thank you for the information. The challenge I am facing that the CURL copied to Postman uses an AppGroupID:

{“status”:“ACTIVE”,“userGroupId”:“XXXX”,“existingAppGroupId”:“XXXX”,“groupPushAttributes”:{“groupScope”:“GLOBAL”,“groupType”:“SECURITY”,“distinguishedName”:“dc=XXXX,dc=com”,“samAccountName”:“XXX”}}

Both Postman and Rockstar does not export the AppGroupId. Did you run into this issue and what did you do resolve it?

Has anyone been able to figure out how to do this now that it is looking for an “existingAppGroupId”?

@DukeLe - were you able to find out where that attribute exists? Or did you come up with another solution?

This seems silly that there isn’t an easy way to link groups via API. Similar to @geppe we have a couple thousand Okta groups we need to link to AD groups- were you ever able to find a solution for your situation?

How do I authenticate to retrieve the token and cookies attributes?

I was able to pull off Group Push Failed Retries with the Private API above with Okta Workflows

SCR-20231024-pgfl-21440×590 40.5 KB

SCR-20231024-pfpk-24432×2016 509 KB

On the API/HTTP Post card, just go to Error Handling and give it a few more retries before returning values.

Considering that there’s already a Workflow Card for capturing failed pushes, I don’t know why we don’t have a workflow card for retrying them.

The only thing I have in the API Connector body is:

{
  "action": "PUSH"
}

The private API call maps to:
https://{{your tenant}}-admin.okta.com/api/internal/instance/{{your app integration ID}}/grouppush/{{app mapping id betweeen okta and your downstream receiver}}

I had to update things with an If/Error card because of a 500 status code being returned. The flow looks like this now:

SCR-20231116-nhch-23400×1578 328 KB