Using Group Push
Group Push enables you to take existing Okta groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. and their memberships, and push them to provisioning-enabled, third-party applications. These memberships are then mastered by Okta.
Note: Pushed groups are managed from Okta. Making changes from the target appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. causes a misalignment with Okta and creates problems.
- You must have provisioning enabled in the target app. If it is not enabled, you will be prompted to do so.
Any group members that you want to push to the target app MUST be previously provisioned and assigned to the target app. As an Okta-mastered group, changes should never be made from the target app.
Note: This process is always Okta-mastered, therefore you cannot push a group name that already exists within the target app unless the app supports Enhanced Group Push. For example, G Suite, Box, Jive, and Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. allow you to link their existing groups to Okta. See Enhanced Group Push for details.
- API access must be enabled in the target app.
- Confirm that the relevant group members are already imported into Okta and provisioned for the target app.
- This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, contact Okta Support.
To push groups to Active Directory, you must have permission to create groups in AD. See Minimum Okta service account permissions.
Note: Users who show as inactive in Okta are not pushed to the downstream app. Inactive users must be reactivated and then the group repushed. If the inactive user is part of more than one group, they must be repushed to all groups in which they are members.
Configure group push
Using Office 365 as our example,
- Access your Okta instance of O365.
- Within the app, choose the Push Groups tab.
Click Push Groups to add one or more groups. Groups can be added by name or by rule. Keep in mind that, unless the app is listed under Enhanced Group Push, you cannot push groups or group names that already exist in the target app.
If you keep the Push group memberships immediately setting checked (default), the selected membership is immediately pushed to the target app.
- Find groups by name provides a simple search field with auto complete capability.
- Find groups by rule is a helpful option when there are a large number of groups or a known naming convention for them. The wizard allows you to create a rule and specify its search criteria. Once created, the rule name is shown under the By rule filter and the found groups are listed under the Group in Okta column.
- Use the BulkEdit button to delete or deactivate the active groups.Select one or all of the groups from the list.
You can also delete and deactivate specific groups by clicking the Active / Inactive status button.
- Deactivate group push pauses the synchronization of groups, retaining their appearance in the app (for example, Box). In this mode, you're able to keep adding new members to the group, but those changes won't appear in the target app.
Unlink pushed group permanently removes the group from Okta and the app (for example, Box). A message appears with two options for deleting groups:
- Delete the group in the target app — this option deletes the group and all its associated memberships.
- Leave the group in the target app — this option tells Okta to stop pushing memberships, but the group remains in the target app.
Push Now serves to "force" a push in the rare occurrence when the state of Okta and the target app are no longer in sync. This action performs a full overwrite of the overall membership and makes Okta the master for the group. The exception to this is Active Directory, which only pushes the newest members to the group, and does not overwrite overall membership.
The Information button (alongside the Active / Inactive status button) displays creation information and group type. When an error occurs, it provides helpful troubleshooting information. See Troubleshooting Group Push details.
Using the same Okta group for assignments and for group push is not currently supported. To maintain consistent group membership between Okta and the downstream app, you need to create a separate group that is configured to push groups to the target app.Top