How can I get all groups a user belongs to using Okta's API?

Asked 1/9, 2015 at 18:38 Answered 17/1, 2022 at 13:31

Solved active-directory single-sign-on okta

I'm trying to sync users/groups that sit behind Okta in Active Directory. Specifically, I'd like to get all groups a user belongs to, upon login to a third party application.

Looking at the Okta API documentation (http://developer.okta.com/docs/api/resources/groups.html) I see that I could accomplish this by performing the following operations (in pseudo-code):

FETCH ALL GROUPS (using List Groups operation)
FOR EACH GROUP
    FETCH A LIST OF USERS (using List Group Members operation)

For my purposes this seems very inefficient, but I can't find a better way of doing this by looking at the documentation.

Ideally, what I would like to do is:

FETCH ALL GROUPS FOR A GIVEN USER ID

Is there any way I could accomplish this ?

Any help is appreciated. Thanks.

Runty answered 1/9, 2015 at 18:38 Comment(1)

well not sure if it helps, but you can add groups of the user in the token (access or id) in OKTA.. so upon login, you get the ID and ACCESS token with all needed information already – Intelligence 18/2, 2022 at 12:27

I found the answer: the Get Member Groups API call does this exact thing. It's under Related Resources here: http://developer.okta.com/docs/api/resources/users.html

Runty answered 1/9, 2015 at 22:49 Comment(4)

I think, this will work only if you are logged in with admin (okta admin) credentials. what about normal users ? (like we logged in with normal user and we want to know the group which this user belongs to ?) – Inositol 13/4, 2017 at 7:29

@Inositol I am experiencing the same thing. Groups come over in a postman request, but when I make a fetch request from the browser Groups always come over as an empty array. But if I give the User "Okta Admin" permissions then all of their groups come through on the response as expected. Were you able to resolve this? – Massimiliano 3/5, 2017 at 15:57

@Massimiliano - you can create an api_token and add it in the header of the GET request.(ref). And you can create api_token from the admin account(ref.) – Inositol 4/5, 2017 at 17:13

Here's an updated link for the API – Bathesda 1/12, 2021 at 20:32

https://developer.okta.com/docs/reference/api/users/#get-user-s-groups how about that?

[GET] /api/v1/users/$userid/groups

Intelligence answered 17/1, 2022 at 13:31 Comment(0)

It's also possible to get this list when the user logs in into an app via SAML.

Add a Group Attribute Statement with filter Matches regex and value .*.

You will get the user's groups as part of the XML.

Duvall answered 9/2, 2020 at 16:1 Comment(0)

Recommended topics

Hot tags