If you have been working with applications in Okta for some time and occasionally use the APIs (or Workflows) you would be aware that one glaring omission in the API library was an API to manage the Push Groups on applications. This has now been addressed with the Group Push Mapping API.
The Group Push Mapping API
We have had APIs to manage groups and applications in Okta for a long time, including the ability to assign users and groups to apps. But missing was an API to manage the push groups assigned to an app. This is addressed with the new Group Push Mapping API, which allows programmatic access to Push Groups mapped to applications. There are five API endpoints.
The endpoints are self-explanatory: list all push group mappings for an app, create a mapping for an app, get details of a specific mapping for an app, update a mapping for an app and delete a mapping for an app.
For example if I wanted to see all groups mapped as push groups to an app, I would make a call like:
/api/v1/apps/0oa7l040g0UbnhVtp1d7/group-push/mappingsThis will provide a list of objects describing each of the push groups.
How can we use these? Let’s look at an example.
An Example With Okta Privileged Access
Okta Privileged Access (OPA) uses groups pushed from Okta to define administrative roles and policy membership. Thus the group membership is managed in Okta, but what users in that group can do in OPA is defined by what those groups are assigned to in OPA.
Let’s look at an end-to-end example using Okta Workflows. I have a requirement to be able to aurtomatically create a secrets folder in OPA for a new team and have that team assigned to manage secrets in that folder. This means I need a new group in Okta for that team, that new group assigned as a push group to OPA in Okta, a new secret folder in OPA and a new policy to allow that new group to manage secrets in that new folder in OPA.
So the steps are:
- Create a new Secret Folder in OPA,
- Create a new Group in Okta,
- Assign that new group as a push group on the OPA app in Okta, and
- Create a new Secret Policy in OPA and assign that group to it
This is done in a series of helper flows under a single main flow. It sets some arguments (including the group name) and then calls four flows correpsonding to the steps above, passing in the arguments from the initial assignment or previous helper flow calls.
The first helper flow (MAIN11 in the pic above) will create the new folder (based on the group name) in a standard top level folder. This is using the Create a secret folder OPA API endpoint with the OPA Connector Custom API Action card.
The second helper flow (MAIN12) will create a new group in Okta and assign a user to it. This is using the standard Create Group and Add User to Group cards in the Okta connector.
The third helper flow (MAIN13) is using the new API to assign the new Okta group to the OPA application. It uses the Create a Group Push Mapping API endpoint with the Okta Connector Custom API Action card.
The last helper flow (MAIN14) creates a new Secret Policy and assigns the new pushed group as the principal for the policy. This is using the Create a Security Policy API endpoint with the OPA Connector Custom API Action card.
Thus we have automated the entire process of adding a new group, assigning it to the OPA app, creating the new folder and assigning policy to it for the new group.
Having an API to manage group push mapping is something that’s been asked for by customers for some time and opens up a lot of exciting automation use cases that were missing this critical piece before.
