Okta User API - Merging data from two endpoints

Team - I am trying to query Okta user API for users. I found that some of the extended properties that are in AD are within the app endpoint, for example: {{url}}/api/v1/apps/0oa23ai0JW6/users while the other properties are within the normal SCIM api, for example: {{url}}/api/v1/users

My question:

  • Can I make one call to the user API and able to get both ActiveDirectory and normal SCIM results?
  • Does Okta have GraphQL user API available?
  • Is there any other solution that you guys can reommend?

Thanks!

  1. To retrieve SCIM user, you need to follow this api. It is based on your SCIM server.
GET /scim/v2/Users?startIndex=1&count=100 HTTP/1.1
User-Agent: Okta SCIM Client 1.0.0
Authorization: <Authorization credentials>
  1. We do not have one but you can create GraphQL for your app. You can refer the below article.
    Build a CRUD App with Node.js and GraphQL | Okta Developer

  2. You may check if import users can help.

User import operations are initiated by Okta, either manually or on a schedule. To run an import for your SCIM users, go into the Okta Admin Console:

  1. Select your SCIM integration from the list of integrations in your Okta org.
  2. Under the Import tab, click To Okta and Import Now to do a one-time import.
  3. Okta prompts you to review and confirm assignments for any users that aren’t automatically matched to existing Okta users.

For more info, please check this article.
https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-import-users-main.htm

Thanks for the response, but I am not trying to build my own SCIM, rather I want to connect to Okta’s SCIM connector. Does Okta exposes SCIM? Secondly, the challenge I have is some of the data that I am looking for is in {{url}}/api/v1/apps/0oa23ai0JW6/users and the other data is in {{url}}/api/v1/users - I was hoping a GraphQL type of end point (exposed by Okta) would allow me to query one time and get all the data that I need within one call.

@Ansari
API {{url}}/api/v1/users helps list all users.
https://developer.okta.com/docs/reference/api/users/#list-all-users

API {{url}}/api/v1/apps/0oa23ai0JW6/users is requesting users assigned to a specific application.
https://developer.okta.com/docs/reference/api/apps/?_ga=2.10139447.389718919.1621454857-633878429.1621454017#list-users-assigned-to-application

Did you try to verify these two endpoints in postman? You will see how it works in postman. All users should include the users assigned to the app.

Yes, I can use postman and see the response with user’s profile properties.

My challenge is that the app specific API {{url}}/api/v1/apps/0oa23ai0JW6/users (which is my ActiveDirectory app) does not have managerUPN property populated, I have to get the manager from the the API to populate data. However, the manager is populated in my normal /user API. Hence I started to look into GraphQL etc. If I can somehowe populate the managerUPN in my ActiveDirctory API, this issue could be resolved. Note that I can get Manager DN, but not Manager UPN.

@Ansari So the issue comes to how to populate the property managerUPN in your ActiveDirectory app.
I am not sure if your configuration were setup well but you can open a support ticket through an email to support@okta.com. One of our TSEs will help you review your configuration and the API issue.

We have had a ticket opened, but all it did was to create property in /user profile not in AD profile. Looking for a proper fix.

@Ansari Good to know you had a case open already. Then you can ask our TSEs to help you with possible fix/workaround.