Does Okta API support a GET for Additional Active Directory Attributes for User objects Skip to main content
https://support.okta.com/help/answers?id=906f0000000hzutiac&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Todd JohnsonTodd Johnson 

Does Okta API support a GET for Additional Active Directory Attributes for User objects

I am using Okta API to GET attributes from user objects.  It looks like only the standard Okta profile attributes are available to GET.  Is there a way to pull the Additional Active Directory attributes? I would like to GET distinguishedName

Thanks!
api-workday api-workdayapi-workday api-workday
Hey Todd, It sure does.

To retrieve it you'll need to extend exposed schema to include distinguishedName (dn) within UD.

Once it is included you can either map the value into the base Okta user and retrieve it there or you can directly grab the AD 'application' user profile to see it.

I have the later so i get the DN from
 
GET https://yourOrg.okta.com/api/v1/apps/{AD AppID}/users/{My UID}

{
    "id":  "My UID",
    "externalId":  "myGuid",
    "created":  "2012-08-13T19:41:15.000Z",
    "lastUpdated":  "2016-01-06T23:32:29.000Z",
    "scope":  "USER",
    "status":  "PROVISIONED",
    "statusChanged":  "2012-08-31T16:20:10.000Z",
    "passwordChanged":  null,
    "syncState":  "SYNCHRONIZED",
    "lastSync":  "2016-01-29T06:31:29.000Z",
    "credentials":  {
                        "userName":  "me@my.tld"
                    },
    "profile":  {
                    ...lots of attributes,
                    "dn":  "CN=Matt Egan,OU=some,OU=place,DC=my,DC=tld",
                    ...lots of attributes
                },
    "_links":  {
                   "app":  {
                               "href":  "https://yourOrg.okta.com/api/v1/apps/{AD AppID}"
                           },
                   "user":  {
                                "href":  "https://yourOrg.okta.com/api/v1/users/{My UID}"
                            }
               }
}


Hope that helps,
-Matt
 
Todd JohnsonTodd Johnson
Does UD = Universal Directory? I don't believe we're licensed for this, is this a requirement?

Thanks Matt.
api-workday api-workdayapi-workday api-workday
Hi Todd,

Yes, UD = Universal Directory.

As far as it being a requirement to expose this attribute with having a UD enabled Org? I'm not 100% sure, It wasn't something I could do prior to having the Universal Directory capabilities so it seems safe to assume it is a requirement. I'll defer to someone from Okta to answer definitivley.

The actual steps required to add the attribute are as follows:

Directory -> Profile Editor
Directories-> 'yourdomain.tld' User
Add Attribute:
 Select desired attribute(s) from AD Schema
 Save

-Matt
Alain O'DeaAlain O'Dea
Thank you Matt :)

For me, a legacy Java SDK (https://github.com/okta/okta-sdk-java/tree/legacy) user, I was able to use the AppUserApiClient to get the AD Attributes. I needed the Directory app ID (I got it from the URL in the Okta Admin console) and the user ID to get the extended AD Attributes.

I'm not sure how to do this with the refactored Java SDK. It seems to have lost a ton of functionality.