we are using the recently released Group Push functionality through which you can push groups from Okta to an AD thus making Okta the owner of the group.
What I haven’t found yet is a way to trigger that push via API as we need to do that for more than 1000 groups…
Easiest way is to trigger admin panel private API. Be careful with that as private API’s are for internal use only and can change without any notice as well as harm your instance if used with errors.
thanks for this!
First time I hear about this. Do you know if there is any documentation on that? Just googled it but couldn’t find anything.
Apart from making sure not to cause any harm, I’m wondering what values I would populate
{{cookies}}
{{userAgent}}
with.
And how do you get the group’s {{mappingId}}?
Thanks a lot!
Best regards,
G.
{{cookies}}, {{userAgent}}, {{mappingId}} are your own cookie, browser userAgent and group mappingId from your tenant.
You can use Chrome DevTools to track these fields and copy necessary data to Postman or curl. Just check there what is happening when you do click on ‘Push now’ button in Okta UI.
I’ve been making some progress here in finding the needed values but I still haven’t managed to make it work.
Looking at the values what strikes me as odd is the following:
{{mappingId}} is always a different string when I do group pushes in the front-end. Seems like this number is generated AFTER the group push is done and either refers to the mapping between the Okta group and the AD group, or the AD group’s ID. In other words
so I tried to populate the group’s Okta ID instead of a mapping ID but then wondered how should the AD in which OU to push the group (this is normally selected manually when pushing the group in the front-end)
so I guessed that maybe the {{mappingId}} is in fact the OU ID provided by the AD, but again, the number is always different even if I choose the same group and OU to push it to
So I figured in the CURL parameters we’d have to specify at least 2 Okta IDs - the group ID and the OU ID.
When you submit your CURL statement in your environment, in which OU is the group created? In the root OU?
I have group push configured for Jira app and not AD. With Jira mappingID is unique ID for every groups I have pushed: group1->to_Jira has one mappingID, group2_to_Jira has another.
Push a group manually to AD with Chrome dev tools open to ‘network’ tab.
On the dev tools network tab, copy the request as a Curl
In postman, import the request as text, pasting the curl command copied in step 3.
Create a collection and save the request to the collection
Create and populate a csv with two columns, name, and id (this will be your okta group name and groupid) of the groups you want to push
In the body of the request, replace the group name with “{{name}}” and replace the group id with “{{id}}”. These must match your column headers of your csv
In Postman go to “Runner”, select your collection and API call. In data select your CSV. Check “save responses”/
Has anyone been able to figure out how to do this now that it is looking for an “existingAppGroupId”?
@DukeLe - were you able to find out where that attribute exists? Or did you come up with another solution?
This seems silly that there isn’t an easy way to link groups via API. Similar to @geppe we have a couple thousand Okta groups we need to link to AD groups- were you ever able to find a solution for your situation?
On the API/HTTP Post card, just go to Error Handling and give it a few more retries before returning values.
Considering that there’s already a Workflow Card for capturing failed pushes, I don’t know why we don’t have a workflow card for retrying them.
The only thing I have in the API Connector body is:
{
"action": "PUSH"
}
The private API call maps to:
https://{{your tenant}}-admin.okta.com/api/internal/instance/{{your app integration ID}}/grouppush/{{app mapping id betweeen okta and your downstream receiver}}