8

I'm trying to sync users/groups that sit behind Okta in Active Directory. Specifically, I'd like to get all groups a user belongs to, upon login to a third party application.

Looking at the Okta API documentation (http://developer.okta.com/docs/api/resources/groups.html) I see that I could accomplish this by performing the following operations (in pseudo-code):

FETCH ALL GROUPS (using List Groups operation)
FOR EACH GROUP
    FETCH A LIST OF USERS (using List Group Members operation)

For my purposes this seems very inefficient, but I can't find a better way of doing this by looking at the documentation.

Ideally, what I would like to do is:

FETCH ALL GROUPS FOR A GIVEN USER ID

Is there any way I could accomplish this ?

Any help is appreciated. Thanks.

danvalencia
  • 251
  • 3
  • 11
  • 1
    well not sure if it helps, but you can add groups of the user in the token (access or id) in OKTA.. so upon login, you get the ID and ACCESS token with all needed information already – Mr.P Feb 18 '22 at 12:27

3 Answers3

4

I found the answer: the Get Member Groups API call does this exact thing. It's under Related Resources here: http://developer.okta.com/docs/api/resources/users.html

danvalencia
  • 251
  • 3
  • 11
  • 3
    I think, this will work only if you are logged in with admin (okta admin) credentials. what about normal users ? (like we logged in with normal user and we want to know the group which this user belongs to ?) – Nisfan Apr 13 '17 at 07:29
  • @Nisfan I am experiencing the same thing. Groups come over in a postman request, but when I make a fetch request from the browser Groups always come over as an empty array. But if I give the User "Okta Admin" permissions then all of their groups come through on the response as expected. Were you able to resolve this? – pstricker May 03 '17 at 15:57
  • 1
    @pstricker - you can create an **api_token** and add it in the header of the GET request.([ref](http://developer.okta.com/docs/api/resources/users.html#request-example-18)). And you can create api_token from the admin account([ref.](http://developer.okta.com/docs/api/getting_started/getting_a_token.html)) – Nisfan May 04 '17 at 17:13
  • Here's an updated [link](https://developer.okta.com/docs/reference/api/users/#get-user-s-groups) for the API – StCleezy Dec 01 '21 at 20:32
1

It's also possible to get this list when the user logs in into an app via SAML.

Add a Group Attribute Statement with filter Matches regex and value .*.

You will get the user's groups as part of the XML.

get user groups okta upon signin

gilm
  • 7,690
  • 3
  • 41
  • 41
1

https://developer.okta.com/docs/reference/api/users/#get-user-s-groups how about that?

[GET] /api/v1/users/$userid/groups

Mr.P
  • 1,182
  • 3
  • 20
  • 44