Okta Push Group

brijesh · April 4, 2019, 6:15am

Is okta push group is the same as okta groups?

dragos · April 4, 2019, 8:46am

Push group is a procedure to create groups in an application, using either SCIM or any other procedure (this requires a pre-integrated custom application done by Okta engineering team).

Once the groups are created inside the application, if the members of the group are also assigned to the application under Assignments tab, then the group membership is pushed to the application.

You can find out more details about this procedure here.

brijesh · April 4, 2019, 9:01am

Thanks for your Assistance
I have a quick question regarding push groups.

we have already a feature available of group provisioning, so how push group differs from okta groups or both groups are same?
then why do we need this feature push groups?

dragos · April 4, 2019, 9:06am

Hi @brijesh

Okta groups are containers for users in order to manage access more easily, while push groups is a functionality to send Okta groups to target applications.

brijesh · April 4, 2019, 10:17am

Hi@dragos

if I can assign multiple applications at a time into an application group.
then why I need of this feature Push Group?
How can I differentiate between both Please help.

dragos · April 4, 2019, 10:23am

Hi @brijesh

Group assignment under Assignments will just assign the users that are added in the Okta group. This is a way to easily manage access to the application.

If we are looking at the provisioning functionality, group assignment under assignment tab will only create and/or link the users present in the group with the ones in the target app.
Push group functionality is needed if want to create also the group in the target app and add the group memberships for the users added under Assignments tab.

tjpspf · May 2, 2023, 6:07pm

I think I’m tracking with your answers, but if you have to (1) make sure that the users in a particular have already been assigned to the application before (2) pushing said group to the application, then why (3) does Okta say that the same group shouldn’t be used for assigning and pushing?

It’s my understanding that if I wanted, say, all users in “Group A” to make it to the external application, and I also wanted “Group A” to show up in the external application, then I would first assign “Group A” to the application before then pushing “Group A” to the application. Is that not correct? If not, then what’s the correct way to go about this?

andrea · May 10, 2023, 6:28pm

Where are you seeing that the groups for the assignment to a Provisioning app shouldn’t be the same as the pushed groups? Are you maybe thinking of Group Rules instead?

And did you test that combination: assigning the group to the app and then pushing it? Did it work for you? I’ve tested this in the past and its worked fine for me.

tjpspf · May 10, 2023, 7:15pm

The following are the known Group Push limitations: Using the same Okta group for assignments and for group push is not supported. To maintain consistent group membership between Okta and the downstream app, you need to create a separate group that is configured to push groups to the target app.

Source: About Group Push | Okta

Also see: https://support.okta.com/help/s/article/Okta-Group-Push-Can-I-use-the-sameOktagroup-for-application-assignments-and-for-group-push?language=en_US

Now, I haven’t actually experienced any race conditions in my manual testing. But the multiple mentions of this in the Okta docs/guides gave me pause. Is this no longer a limitation for Group Push?

andrea · May 24, 2023, 10:46pm

Ah, I must have misremembered what I had tested previously, sorry about that. I’ve not heard of there being any update regarding that stated limitation