App assignments and Group Push
Groups allow admins to define a set of users that have shared requirements. For example, an admin can create a group that contains the members of the marketing department and assign the apps required by marketing to the group.
-
App assignments are used to create users in downstream apps. Assigning groups to an application adds the users in that group to the application.
-
Group Push is used to create groups and manage group memberships in downstream apps.
To assign an app to a group and manage group memberships within that app, you need to create two groups. Create one group that's dedicated to assigning users to apps, and a push group used to manage group membership in the downstream application from Okta.
Okta doesn't support using the same group for app assignment and Group Push. If your org doesn't have separate groups for app assignment and Group Push, see Troubleshoot app assignment and group membership.
Assign an app to a group and push a group
Create two groups when you want to assign users to a downstream app that supports Group Push. Use one group for app assignment and another as a push group to manage group membership in the downstream app.
For example, you might want to assign all the members of the accounting department (one of whom is Taylor Smith) to an app. The following steps describe creating groups to assign users to an app and manage group membership in that app.
-
Create a group in Okta for app assignment purposes (for example, Accounting).
-
Assign users to the group.
-
Assign the app integration to the group. This creates an account in the downstream app for each member of the group. For example, assigning the integration to Accounting creates an account in the downstream app for each member of the group.
-
Create a push group in Okta to manage group membership in the downstream app (for example, AppPushGroup).
-
Assign users to the push group (for example, assign each member of Accounting to AppPushGroup).
-
Go to the Push Groups tab for the app. Find the push group and push it to the app.
-
A group is created in the downstream app that includes the users assigned to the membership maintenance group in Okta. For example, AppPushGroup, which includes Taylor Smith.
Unassign a user from an app
To unassign a user who's a member of groups in the downstream app, you must remove the user from the downstream groups before you unassign them from the app. Failing to do so can result in the user remaining a member of the downstream groups.
The following steps describe how to unassign a user from an app to ensure that they're removed from the downstream app:
-
Remove the user from the membership maintenance group in Okta (for example, remove Taylor Smith from AppPushGroup).
-
The user is removed from the membership maintenance group in the downstream app.
-
Remove the user from the assignment group in Okta. This removes the user from the downstream app. For example, removing Taylor Smith from Accounting also removes them from the downstream app.
-
Deactivate the user in Okta.
If you unassign a user from an app before you remove them from the membership maintenance group, that user remains a member of the maintenance group in the downstream app.
For example, suppose you remove Taylor Smith from Accounting and deactivate their Okta account. This removes them from the downstream app, but an entry for them remains in AppPushGroup in the downstream app. There's no longer a link between Okta and the Taylor Smith entry in the downstream app.