Using Group Push
Group push enables you to take existing Okta groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. and their memberships, and push them to provisioning-enabled, third-party applications. These memberships are then mastered by Okta.
Note: Pushed groups are managed from Okta. Making changes from the target appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. causes a misalignment with Okta and creates problems.
- You must have provisioning enabled in the target app. If it is not enabled, you will be prompted to do so.
Any group members that you wish to push to the target app MUST be previously provisioned and assigned to the target app. As an Okta-mastered group, changes should never be made from the target app.
Note: This process is always Okta-mastered, therefore you cannot push a group name that already exists within the target app unless the app supports Enhanced Group Push. For example, G Suite, Box, Jive, and Active Directory allow you to link their existing groups to Okta. See Enhanced Group Push for details.
- API access must be enabled in the target app.
- Confirm that the relevant group members are already imported into Okta and provisioned for the target app.
Note: Users who show as inactive in Okta are not pushed to the downstream app. Inactive users must be reactivated and then the group repushed. If the inactive user is part of more than one group, they must be repushed to all groups in which they are members.
Configure group push
Using Office 365 as our example,
- Access your Okta instance of O365.
- Within the app, choose the Push Groups tab.
Click the green Push Groups button to add one or more groups. Groups can be added by name or by rule. Keep in mind that, unless the app is listed under Enhanced Group Push, you cannot push groups or group names that already exist in the target app.
If you keep the Push group memberships immediately setting checked (default), the selected membership is immediately pushed to the target app.
- Find groups by name provides a simple search field with auto complete capability.
- Find groups by rule is a helpful option when there are a large number of groups or a known naming convention for them. The wizard allows you to create a rule and specify its search criteria. Once created, the rule name is shown under the By rule filter and the found groups are listed under the Group in Okta column.
- Once populated with selected groups, use the BulkEdit button to delete or deactivate the active groups. Simply select one or all of the groups from the list.
You can also delete and deactivate specific groups by clicking the Active / Inactive status button.
- Deactivate group push: pauses the synchronization of groups, retaining their appearance in the app (e.g., Box). In this mode, you're able to keep adding new members to the group, but those changes won't appear in the target app.
Unlink pushed group: permanently removes the group from Okta and the app (e.g., Box). A message appears with two options for deleting groups:
- Delete the group in the target app — this option deletes the group and all its associated memberships.
- Leave the group in the target app — this option tells Okta to stop pushing memberships, but the group remains in the target app.
Push Now serves to "force" a push in the rare occurrence when the state of Okta and the target app are no longer in sync. This action performs a full overwrite of the overall membership and makes Okta the master for the group. The exception to this is Active Directory, which only pushes the newest members to the group, and does not overwrite overall membership.
The Information button (alongside the Active / Inactive status button) displays creation information and group type. When an error occurs, it provides helpful troubleshooting information. See Troubleshooting group push details.