Troubleshooting Group Push
Pushed groups are managed from Okta. Changes made in the target app cause a misalignment with Okta, which can create several problems.
When an error occurs while pushing groups for an app integration, an entry appears on the Errors tab under Pushed Groups on the Push Groups tab. Find the entry and click information (i) under Push Status to show details about the error, including the time of failure and its possible cause. After you make corrections to try to resolve the error, click Retry All Groups to repush all groups that have errors.
Users shown as inactive in Okta aren't pushed to the downstream app. Inactive users must be reactivated and then the group repushed. If an inactive user belongs to more than one group, they must be repushed to all groups in which they're members.
Okta doesn't support using the same group for app assignment and Group Push. If your org doesn't have separate groups for app assignment and Group Push, see Troubleshoot app assignment and group membership.
Groups appear in the target app without their users
If you've successfully pushed a group to the target app but the assigned group members don't appear, verify that one of the following is true:
- The target app has been added to the new group.
- All group members of the new group are assigned to the target app (even if the group itself wasn't assigned yet).
- All group members appear as users in the target app.
- The group you pushed isn't the same one you used to assign and provision users to the app.
If some group members are assigned to the target app and others aren't, only successfully assigned members appear in the target app.
Removed users still appear in target app groups
Verify that the group you pushed isn't the same one you used to assign and provision users to the app. Using the same Okta group for assignments and for group push isn't currently supported.
A group has been deleted directly from the target app
To recover, you must delete the pushed group and reinstate the target app memberships.
- Click the Active / Inactive status button and choose Delete pushed group in app.
- Choose the Leave the group in the target app option.
- Run an import from the target app.
- Retry the push.
Troubleshoot app assignment and group membership
Okta doesn't support using the same group for app assignment and Group Push.
Suppose that your org has an Accounting group that's assigned an app integration, and whose members include Taylor Smith. The following sequence demonstrates the consequences of using the group to assign the integration to users and to create a group in the downstream app through Group Push:
-
The app integration is assigned to the Accounting group in Okta.
-
A user account is created in the downstream app for each member of the group (for example, Taylor Smith).
-
Group Push pushes the Okta Accounting group to the downstream app, which creates the Downstream Accounting group. Taylor Smith is a member of the Downstream Accounting group.
-
Taylor Smith takes a leave of absence from their job. They're deactivated in Okta.
-
Taylor Smith is deactivated in the downstream app. However, Taylor Smith remains a member of Downstream Accounting. The Okta org has no connection to any remaining entries for the user in the downstream app. There's no way for the Okta org to determine whether the user belongs to any downstream groups.
There are two ways to correct situations where you've used the same group for assignment and Group Push: create and use a group for app assignment or create and use a group for Group Push for the assignment.
Solution 1: Create and use a group for app assignment
-
Create a group to use for assigning the app.
-
Copy the members from the original group that have access to the application to the new assignment group.
-
Assign the app to the new assignment group.
-
Unassign the original group from the app.
Solution 2: Create and use a group for Group Push
-
Create a group.
-
Copy the members who have access to the app from the original group to the new group.
-
Unlink the original group push mapping. This leaves the original group in the downstream app.
-
Link the new group to the original group in the remote app on the Push Groups tab of the app integration.